By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-66412

Cross-Site Scripting
Affects
Angular
in
Angular
No items found.
Versions
>=21.0.0-next.0 <21.0.2, >=20.0.0-next.0 <20.3.15, >=19.0.0-next.0 <19.2.17, <=18.2.14
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

A Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-66412 was discovered in Angular’s template compiler. The issue stems from an incomplete internal security schema that fails to classify certain URL-bearing SVG and MathML attributes as requiring strict sanitization. Because of this gap, malicious values including JavaScript URLs can bypass Angular’s built-in sanitization mechanisms.

A related issue also affects SVG animation elements such as animate, set, animateMotion, and animateTransform. The attributeName property on these animation elements was not correctly validated. This allowed attackers to target sensitive attributes like href or xlink:href on other elements. When untrusted data is bound to these attributes, the compiler may fall back to a non-sanitizing context, enabling arbitrary script injection.

Per OWASP, this vulnerability falls under Stored Cross-Site Scripting. Stored XSS occurs when an application stores untrusted input and later renders it without proper neutralization. In this case, the injected payload may execute when a user interacts with the affected element or automatically when an animation is triggered.

Details

Module Info

Vulnerability Info

This vulnerability is caused by an incomplete security schema inside Angular’s template compiler. The compiler is responsible for determining the correct security context for attribute bindings, especially those that may contain URLs. Several URL-bearing attributes were not classified as requiring strict URL security. This includes attributes such as xlink:href on SVG elements and multiple MathML attributes like math|href and annotation|href. When untrusted data is bound to these attributes, the compiler may fall back to a non-sanitizing context or fail to block the binding entirely. As a result, an attacker can supply a JavaScript URL or other malicious value that bypasses sanitization.

A related issue affects SVG animation elements including animate, set, animateMotion, and animateTransform. The attributeName property on these elements was not validated correctly. Attackers can bind attributeName to sensitive attributes such as href or xlink:href on other elements. When combined with a JavaScript URL provided through the values property or the to attribute, this allows the animation system to apply an unsafe URL to a sensitive attribute, bypassing Angular’s normal sanitization rules.

When these unsafe bindings are compiled, the resulting templates contain stored payloads that will execute after the application renders them. Execution can occur when a user interacts with the affected element, such as clicking on an SVG link, or automatically when an animation triggers the attribute update. In either case, arbitrary JavaScript executes within the application’s origin, giving the attacker access to user data and the ability to perform privileged actions.

Mitigation

Users of affected Angular packages should apply one of the following mitigations:

  • Upgrade to a patched version of the @angular/compiler package.
  • Avoid binding untrusted data to vulnerable SVG or MathML attributes.
  • Do not bind untrusted values to the attributeName property on SVG animation elements.
  • Use a strong Content Security Policy that blocks JavaScript URLs.
  • Leverage commercial support – HeroDevs provides security support for Angular versions 4–18.

Credits

  • AKiileX (Finder)

Pink arrow
Pink arrow
CVE-2021-4231
CVE-2025-59052
CVE-2025-66035
CVE-2025-66412
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-66412
PROJECT Affected
Angular
Versions Affected
>=21.0.0-next.0 <21.0.2, >=20.0.0-next.0 <20.3.15, >=19.0.0-next.0 <19.2.17, <=18.2.14
Published date
December 2, 2025
≈ Fix date
December 1, 2025
Fixed in
NES for Angular
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for Angular
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.