By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-0716

Content Spoofing
Affects
AngularJS
>=0.0.0
in
AngularJS
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

AngularJS is a JavaScript framework for developing dynamic web applications. It lets you use HTML as your template language and lets you extend HTML's syntax to express your application's components clearly and succinctly.

An improper sanitization vulnerability (CVE-2025-0716) has been identified in AngularJS, which allows attackers to bypass common image source restrictions normally applied to the value of the href or xlink:href attributes on <image> SVG elements. This bypass can further lead to a form of Content Spoofing. Similarly, the application's performance and behavior could be negatively affected by using too large or slow-to-load images.

Per OWASP: Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

This issue affects all versions of AngularJS.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the main angular package in all published versions of AngularJS.

Normally, setting an <image> SVG element's href or xlink:href attribute values via AngularJS bindings is subject to image source sanitization. This allows improving the security of an application by setting restrictions on the sources of images that can be shown. For example, only allowing images from a specific domain.

However, due to a bug in AngularJS, setting an <image> SVG element's href or xlink:href attribute values via the ngHref and ngAttrHref directives or using interpolation is not subject to image source sanitization. This allows bypassing the image source restrictions configured in the application, which can also lead to a form of Content Spoofing. Similarly, the application's performance and behavior can be negatively affected by using too large or slow-to-load images.

Note:

Targeting the xlink:href attribute via ng-attr-xlink:href or interpolation is not affected. With xlink:href, sanitization works as intended.

Steps To Reproduce

  • Create an AngularJS application and configure $compileProvider to only allow images from a specific domain. For example:
angular
  .module('app', [])
  .config(['$compileProvider', $compileProvider => {
    $compileProvider.imgSrcSanitizationTrustedUrlList(
        // Only allow images from `angularjs.org`.
        /^https:\/\/angularjs\.org\//);
  }]);

  • Use interpolation in the ngHref directive on an <image> SVG element to bypass the domain restriction and show an image from a disallowed domain. For example:
<svg>
  <image ng-href="{{ 'https://angular.dev/favicon.ico' }}" xlink:href=""></image>
</svg>

  • You can even show an arbitrary SVG image using the data:image/svg+xml format. For example:
<svg>
  <image ng-href="{{ 'data:image/svg+xml;base64,...' }}" xlink:href=""></image>
</svg>

  • Similarly, you can achieve the same by using the ngAttrHref directive. For example:
<svg>
  <image ng-attr-href="https://angular.dev/favicon.ico"></image>
  <!--
    OR:
    <image ng-attr-href="data:image/svg+xml;base64,..."></image>
  -->
</svg>

  • Finally, you can also use interpolation on the href attribute to the same effect. For example:
<svg>
  <image href="{{ 'https://angular.dev/favicon.ico' }}"></image>
  <!--
    OR:
    <image href="{{ 'data:image/svg+xml;base64,...' }}"></image>
  -->
</svg>

Proof Of Concept

A full reproduction with code similar to the above can be found here:

<image> sanitization vulnerability POC

Credits

  • George Kalpakas from HeroDevs (finder)

Mitigation

The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications away from AngularJS.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2019-10768
CVE-2020-7676
CVE-2022-25844
CVE-2022-25869
CVE-2023-26116
CVE-2023-26117
CVE-2023-26118
CVE-2024-21490
CVE-2024-33665
CVE-2024-8373
CVE-2024-8372
CVE-2025-0716
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-0716
PROJECT Affected
AngularJS
Versions Affected
>=0.0.0
Published date
April 29, 2025
≈ Fix date
February 18, 2025
Fixed in
AngularJS NES
Severity
Medium
Category
Content Spoofing
Sign up for the latest vulnerability alerts fixed in
AngularJS NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.