PatchSiren cyber security CVE debrief
CVE-2025-66035 Siemens CVE debrief
CVE-2025-66035 is a credential-leak issue in Angular HttpClient’s XSRF handling. When a request uses a protocol-relative URL beginning with //, Angular can misclassify it as same-origin and automatically attach the X-XSRF-TOKEN header, potentially exposing the token to an attacker-controlled domain. The advisory states the issue is fixed in Angular 19.2.16, 20.3.14, and 21.0.1, and recommends avoiding protocol-relative URLs in HttpClient requests.
- Vendor
- Siemens
- Product
- SIDIS Prime
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-12
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-12
Who should care
Teams maintaining Angular-based web applications or embedded web clients that use HttpClient and rely on XSRF protection. In the supplied advisory corpus, this CVE is also associated with Siemens/CISA republished material, so organizations consuming the referenced Siemens advisory should review affected deployments and client code paths.
Technical summary
Angular HttpClient decides whether to add XSRF headers by checking whether a request URL begins with a protocol such as http:// or https://. A protocol-relative URL (//) bypasses that expectation and can be treated as same-origin, causing the X-XSRF-TOKEN header to be sent when it should not be. The result is unauthorized disclosure of the XSRF token to the destination domain. The supplied advisory says the issue is patched in Angular 19.2.16, 20.3.14, and 21.0.1 and can be mitigated by avoiding protocol-relative URLs.
Defensive priority
High. The issue affects confidentiality of a security token and can be triggered through application logic without requiring privileges. Even though it is not a code-execution bug, the leakage can weaken CSRF protections and should be remediated promptly in client code and dependency versions.
Recommended defensive actions
- Upgrade Angular to 19.2.16, 20.3.14, or 21.0.1, or later fixed releases listed by the vendor.
- Search for HttpClient calls that use protocol-relative URLs beginning with // and replace them.
- Use relative paths starting with / or fully qualified, trusted absolute URLs for backend requests.
- Review application code and shared libraries for URL construction patterns that may reintroduce protocol-relative requests.
- Validate that affected builds no longer send X-XSRF-TOKEN to nontrusted destinations after remediation.
Evidence notes
The supplied source item and CISA advisory metadata are dated 2026-03-10 with a CISA republication on 2026-03-12. The advisory text explicitly describes an Angular HttpClient XSRF token leakage condition involving protocol-relative URLs and lists fixed Angular versions 19.2.16, 20.3.14, and 21.0.1. The source corpus also labels the product as Siemens SIDIS Prime vers:intdot/<4.0.800, which does not match the Angular description; this debrief follows the supplied vulnerability text and flags that mismatch as a source-corpus quality issue.
Official resources
-
CVE-2025-66035 CVE record
CVE.org
-
CVE-2025-66035 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA on 2026-03-10 and republished on 2026-03-12 from Siemens ProductCERT advisory SSA-485750, according to the supplied source corpus.