Skip to content

common-15.2.2.tgz: 1 vulnerabilities (highest severity is: 8.6) #514

New issue
New issue
Open
Open
common-15.2.2.tgz: 1 vulnerabilities (highest severity is: 8.6)#514
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Nov 27, 2025
Vulnerable Library - common-15.2.2.tgz

Angular - commonly needed directives and services

Library home page: https://registry.npmjs.org/@angular/common/-/common-15.2.2.tgz

Path to dependency file: /MangoAPI.Client/package.json

Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/common/package.json

Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (common version) Remediation Possible**
CVE-2025-66035 High 8.6 common-15.2.2.tgz Direct https://github.com/angular/angular.git - 20.3.14,https://github.com/angular/angular.git - 19.2.16

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-66035

Vulnerable Library - common-15.2.2.tgz

Angular - commonly needed directives and services

Library home page: https://registry.npmjs.org/@angular/common/-/common-15.2.2.tgz

Path to dependency file: /MangoAPI.Client/package.json

Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/common/package.json

Dependency Hierarchy:

  • common-15.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2

Found in base branch: main

Vulnerability Details

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Publish Date: 2025-11-26

URL: CVE-2025-66035

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-11-26

Fix Resolution: https://github.com/angular/angular.git - 20.3.14,https://github.com/angular/angular.git - 19.2.16

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions