By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-2336

Content Spoofing
Affects
AngularJS
in
AngularJS
No items found.
Versions
>=1.3.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

AngularJS is a JavaScript framework for developing dynamic web applications. It lets you use HTML as your template language and lets you extend HTML's syntax to express your application's components clearly and succinctly. Its ngSanitize module provides functionality to sanitize HTML code.

An improper sanitization vulnerability (CVE-2025-2336) has been identified in AngularJS' ngSanitize module, which allows attackers to bypass common image source restrictions normally applied to image elements. This bypass can further lead to a form of Content Spoofing. Similarly, the application's performance and behavior could be negatively affected by using too large or slow-to-load images.

Per OWASP: Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

This issue affects AngularJS versions greater than or equal to 1.3.1.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the angular-sanitize package in AngularJS versions greater than or equal to 1.3.1.

The $sanitize service, which is provided by the angular-sanitize package, is used for sanitizing HTML strings by stripping all potentially dangerous tokens. As part of the sanitization, it checks the URLs of images to ensure they abide by the defined image source rules. This allows improving the security of an application by setting restrictions on the sources of images that can be shown. For example, only allowing images from a specific domain.

However, due to a bug in the $sanitize service, SVG <image> elements are not correctly detected as images, even when SVG support is enabled. As a result, the image source restrictions are not applied to the images that can be shown. This allows bypassing the image source restrictions configured in the application, which can also lead to a form of Content Spoofing. Similarly, the application's performance and behavior can be negatively affected by using too large or slow-to-load images.

Note:

The $sanitize service is also internally used by the ngBindHtml directive and the linky filter, so any vulnerabilities affect them as well.

Steps To Reproduce

  • Create an AngularJS application that uses the ngSanitize module and configure $compileProvider to only allow images from a specific domain. Also, enable SVG support in $sanitizeProvider. For example:
angular
    .module('app', ['ngSanitize'])
    .config([
      '$compileProvider', '$sanitizeProvider',
      ($compileProvider, $sanitizeProvider) => {
        $compileProvider.imgSrcSanitizationTrustedUrlList(
            // Only allow images from `angularjs.org`.
            /^https:\/\/angularjs\.org\//);

        // Enable SVG support in `$sanitize()`.
        $sanitizeProvider.enableSvg(true);
      },
    ]);

  • Use an <image> SVG element to bypass the domain restriction and show an image from a disallowed domain. For example:
<svg>
  <image href="https://angular.dev/favicon.ico"></image>
  <!--
    OR:
    <image xlink:href="https://angular.dev/favicon.ico"></image>
  -->
</svg>

Proof Of Concept

A full reproduction with code similar to the above can be found here:

ngSanitize <image> sanitization vulnerability POC

Mitigation

The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications away from AngularJS.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • George Kalpakas from HeroDevs (finder)
Pink arrow
Pink arrow
CVE-2019-10768
CVE-2020-7676
CVE-2022-25844
CVE-2022-25869
CVE-2023-26116
CVE-2023-26117
CVE-2023-26118
CVE-2024-21490
CVE-2024-33665
CVE-2024-8373
CVE-2024-8372
CVE-2025-0716
CVE-2025-2336
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-2336
PROJECT Affected
AngularJS
Versions Affected
>=1.3.1
Published date
June 4, 2025
≈ Fix date
March 19, 2025
Fixed in
AngularJS NES
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Content Spoofing
Sign up for the latest vulnerability alerts fixed in
AngularJS NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.