🚨 XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
‼️ Package » @angular/common
‼️ Severity » High (7.7/10)
Link
‼️ Package » @angular/common
‼️ Severity » High (7.7/10)
The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.
Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.
Affected versions Patched versions
>=21.0.0-next.0 < 21.0.1 21.0.1
>=20.0.0-next.0 < 20.3.14 20.3.14
>=19.0.0-next.0 < 19.2.16 19.2.16
<= 18.2.14 none
Workarounds
Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Link
GitHub
XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token** to an attacker-controlled domain.
Angular'...
Angular'...
Again...
‼️ Shai-Hulud Returns: Over 300 NPM Packages Infected
- https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
- https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised
#security #npm
‼️ Shai-Hulud Returns: Over 300 NPM Packages Infected
- https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
- https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised
#security #npm
🥴1
‼️ Angular - prevent XSS via SVG animation attributeName and MathML/SVG URLs
Fixed in:
> 21.0.2
> 20.3.15
> 19.2.17
#security #angular21 #angular20 #angular19
Fixed in:
> 21.0.2
> 20.3.15
> 19.2.17
#security #angular21 #angular20 #angular19
Ok... I don't like React, but I can't stay away if there are security issues!
also...
Critical Security Vulnerability inReact Server Components
This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
https://github.com/msanft/CVE-2025-55182
Big thx to @AD_POHEQUE to go with deep explanation too!
#secure
also...
Critical Security Vulnerability inReact Server Components
This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
https://github.com/msanft/CVE-2025-55182
Big thx to @AD_POHEQUE to go with deep explanation too!
#secure
Angular Munich Meetup
My very-short review: https://www.instagram.com/reel/DR0ZIDAjCGK/?igsh=MWV0cjJuYXl1M2ZsOQ==
See you next time again!!! 🫶🏻
#meetup
My very-short review: https://www.instagram.com/reel/DR0ZIDAjCGK/?igsh=MWV0cjJuYXl1M2ZsOQ==
See you next time again!!! 🫶🏻
#meetup
Instagram
@ngxsamurai
Great evening with great peoples!
Thank you @celonis for hosting and supporting our #angular #meetup!
And very big thanks to @angular.love and @inside.remberg for supporting our devs with goodies 🫶🏻 🥰
And ofc special applause to our great speakers Dan…
Thank you @celonis for hosting and supporting our #angular #meetup!
And very big thanks to @angular.love and @inside.remberg for supporting our devs with goodies 🫶🏻 🥰
And ofc special applause to our great speakers Dan…
‼️ Workshop (NEW!) - Signal Forms - 20.01.26 | 9 – 5 PM (CET) | Online
If you have a time and need more practice with new angular signal forms, then book the place!
With promocode "ngxsamurai" you can get 50% discount on Signal Forms workshop on 20.01.2026!
🔗 Workshop Link
#workshop #angular #forms
If you have a time and need more practice with new angular signal forms, then book the place!
With promocode "ngxsamurai" you can get 50% discount on Signal Forms workshop on 20.01.2026!
🔗 Workshop Link
#workshop #angular #forms
👍2😇2🤝1