CVE-2025-66412
Stored Cross-Site Scripting vulnerability in compiler (npm)
What is CVE-2025-66412 About?
This is a Stored Cross-Site Scripting (XSS) vulnerability in the Angular Template Compiler that arises from an incomplete internal security schema. It allows attackers to bypass Angular's built-in security sanitization, leading to arbitrary JavaScript execution in the context of the application's origin upon user interaction or animation trigger. Exploitation is moderately difficult, as it requires specific conditions for malicious input and user engagement.
Affected Software
- @angular/compiler
- >=20.0.0-next.0, <20.3.15
- >=19.0.0-next.0, <19.2.17
- <=18.2.14
- >=21.0.0-next.0, <21.0.2
Technical Details
The vulnerability exists because Angular's template compiler fails to properly classify certain URL-holding attributes as requiring strict URL security, specifically those that can contain javascript: URLs. This allows for injection of malicious scripts. A related vulnerability involves SVG animation elements (<animate>, <set>, etc.), where the attributeName was not validated, allowing it to be bound to sensitive attributes like href or xlink:href with a javascript: URL in values or to attributes. When untrusted, user-controlled data is bound to these attributes using template binding (e.g., [attr.xlink:href]="maliciousURL"), the compiler either defaults to a non-sanitizing context or fails to block the dangerous assignment, enabling a javascript:URL payload injection that executes upon user interaction or automatically for animations.
What is the Impact of CVE-2025-66412?
Successful exploitation may allow attackers to execute arbitrary code within the context of the vulnerable application's domain, leading to session hijacking, data exfiltration, and unauthorized actions on behalf of the user.
What is the Exploitability of CVE-2025-66412?
Exploitation of this vulnerability is complex, requiring specific preconditions. Attackers need to inject untrusted input into data rendered by the Angular application, which is then bound to one of the unsanitized URL attributes or the attributeName of an SVG animation element. Authentication is not directly required for the exploit injection if the application processes untrusted user input without sanitization. However, user interaction (e.g., clicking on the compromised element) or an automatically triggered animation is necessary for the malicious JavaScript to execute. The risk is heightened in applications that frequently display user-supplied content without strict sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-66412?
About the Fix from Resolved Security
Available Upgrade Options
- @angular/compiler
- >=19.0.0-next.0, <19.2.17 → Upgrade to 19.2.17
- @angular/compiler
- >=20.0.0-next.0, <20.3.15 → Upgrade to 20.3.15
- @angular/compiler
- >=21.0.0-next.0, <21.0.2 → Upgrade to 21.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-66412
- https://github.com/angular/angular
- https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a
- https://osv.dev/vulnerability/GHSA-v4hv-rgfq-gp49
- https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a
- https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
- https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
What are Similar Vulnerabilities to CVE-2025-66412?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2021-39144 , CVE-2024-21446 , CVE-2022-24360 , CVE-2020-7798
