Angular HTTP Client Cross-Site Request Forgery Token Leakage Vulnerability

A vulnerability in Angular's HttpClient prior to versions 19.2.16, 20.3.14, and 21.0.1 allows for Cross-Site Request Forgery (XSRF) token leakage to attacker-controlled domains via protocol-relative URLs. This issue arises because protocol-relative URLs are incorrectly treated as same-origin, leading to the unauthorized disclosure of XSRF tokens. The vulnerability bypasses Angular's built-in CSRF protection, enabling attackers to capture valid XSRF tokens and perform CSRF attacks against users.

Impact

Exploitation of this vulnerability allows for the unauthorized capture of XSRF tokens, which can be used to perform Cross-Site Request Forgery attacks against users' sessions.

Reproduction

To reproduce this vulnerability, send a state-changing HTTP request (such as a POST request) from an Angular application with XSRF protection enabled to a protocol-relative URL (starting with '//') that is controlled by an attacker. The XSRF token will be leaked to the attacker-controlled domain.

Remediation

Users should update to Angular versions 19.2.16, 20.3.14, or 21.0.1. Additionally, avoid using protocol-relative URLs in HttpClient requests. Instead, use hardcoded relative paths or fully qualified, trusted absolute URLs for backend communication.