Source: angular.js Version: 1.8.3-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for angular.js. Not clear if this affects the old version from Debian, can you investigate? CVE-2025-66035[0]: | Angular is a development platform for building mobile and desktop | web applications using TypeScript/JavaScript and other languages. | Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF | token leakage via protocol-relative URLs in angular HTTP clients. | The vulnerability is a Credential Leak by App Logic that leads to | the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) | token to an attacker-controlled domain. Angular's HttpClient has a | built-in XSRF protection mechanism that works by checking if a | request URL starts with a protocol (http:// or https://) to | determine if it is cross-origin. If the URL starts with protocol- | relative URL (//), it is incorrectly treated as a same-origin | request, and the XSRF token is automatically added to the X-XSRF- | TOKEN header. This issue has been patched in versions 19.2.16, | 20.3.14, and 21.0.1. A workaround for this issue involves avoiding | using protocol-relative URLs (URLs starting with //) in HttpClient | requests. All backend communication URLs should be hardcoded as | relative paths (starting with a single /) or fully qualified, | trusted absolute URLs. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-66035 https://www.cve.org/CVERecord?id=CVE-2025-66035 [1] https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
