CVE-2025-66035 (High) detected in common-11.2.14.tgz

## CVE-2025-66035 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - common-11.2.14.tgz</summary>

Angular - commonly needed directives and services
Library home page: <a href="https://registry.npmjs.org/@angular/common/-/common-11.2.14.tgz">https://registry.npmjs.org/@angular/common/-/common-11.2.14.tgz</a>
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/@angular/common/package.json


Dependency Hierarchy:
 - :x: **common-11.2.14.tgz** (Vulnerable Library)
Found in HEAD commit: <a href="https://github.com/Tim-Demo/JuiceShop/commit/ba236fd18ec3e6450d68d675bce1609d2e5d3230">ba236fd18ec3e6450d68d675bce1609d2e5d3230</a>
Found in base branch: main

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> Vulnerability Details</summary>
 
 
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Publish Date: 2025-11-26
URL: <a href=https://www.mend.io/vulnerability-database/CVE-2025-66035>CVE-2025-66035</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (8.6)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Changed
- Impact Metrics:
 - Confidentiality Impact: High
 - Integrity Impact: None
 - Availability Impact: None

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Release Date: 2025-11-26
Fix Resolution: https://github.com/angular/angular.git - 19.2.16,https://github.com/angular/angular.git - 20.3.14


</details>


***
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

CVE-2025-66035 (High) detected in common-11.2.14.tgz #333

CVE-2025-66035 - High Severity Vulnerability

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

CVE-2025-66035 (High) detected in common-11.2.14.tgz #333

Description

CVE-2025-66035 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions