[Pkg-javascript-devel] Bug#1126776: angular.js: CVE-2025-66035

[Salvatore Bonaccorso]

Source: angular.js
Version: 1.8.3-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for angular.js.

Not clear if this affects the old version from Debian, can you
investigate?

CVE-2025-66035[0]:
| Angular is a development platform for building mobile and desktop
| web applications using TypeScript/JavaScript and other languages.
| Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF
| token leakage via protocol-relative URLs in angular HTTP clients.
| The vulnerability is a Credential Leak by App Logic that leads to
| the unauthorized disclosure of the Cross-Site Request Forgery (XSRF)
| token to an attacker-controlled domain. Angular's HttpClient has a
| built-in XSRF protection mechanism that works by checking if a
| request URL starts with a protocol (http:// or https://) to
| determine if it is cross-origin. If the URL starts with protocol-
| relative URL (//), it is incorrectly treated as a same-origin
| request, and the XSRF token is automatically added to the X-XSRF-
| TOKEN header. This issue has been patched in versions 19.2.16,
| 20.3.14, and 21.0.1. A workaround for this issue involves avoiding
| using protocol-relative URLs (URLs starting with //) in HttpClient
| requests. All backend communication URLs should be hardcoded as
| relative paths (starting with a single /) or fully qualified,
| trusted absolute URLs.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-66035
    https://www.cve.org/CVERecord?id=CVE-2025-66035
[1] https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore