CVE-2025-66412
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Angular's template compiler allows attackers to bypass Angular's built-in security sanitization by exploiting incomplete URL attribute classification. This enables injection of malicious scripts via javascript: URLs in certain attributes. All Angular applications using affected versions are vulnerable.
💻 Affected Systems
- Angular
📦 What is this software?
Angular by Angular
Angular by Angular
Angular by Angular
Angular by Angular
⚠️ Risk & Real-World Impact
Worst Case
Attackers can execute arbitrary JavaScript in users' browsers, leading to session hijacking, credential theft, complete account compromise, and data exfiltration.
Likely Case
Attackers inject malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper Content Security Policy (CSP) headers and additional input validation, impact is limited to potential UI manipulation without data theft.
🎯 Exploit Status
Exploitation requires attacker to inject malicious content that gets stored and rendered by Angular. This typically requires some level of application access or user interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.0.2, 20.3.15, or 19.2.17 depending on your Angular version
Vendor Advisory: https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
Restart Required: Yes
Instructions:
1. Identify your Angular version. 2. Update to the patched version: npm update @angular/core @angular/compiler. 3. Rebuild and redeploy your application. 4. Test application functionality.
🔧 Temporary Workarounds
Implement Strict Content Security Policy
allAdd CSP headers to block inline scripts and restrict script sources
Add to web server config: Content-Security-Policy: script-src 'self'
Additional Input Sanitization
allImplement server-side validation and sanitization for all user inputs
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline scripts and javascript: URLs
- Add additional server-side validation and sanitization for all user inputs before Angular processing
🔍 How to Verify
Check if Vulnerable:
Check package.json for Angular version. If version is below 21.0.2 (for v21), 20.3.15 (for v20), or 19.2.17 (for v19), you are vulnerable.Check Version:
npm list @angular/coreVerify Fix Applied:
Verify Angular version after update: npm list @angular/core. Ensure version is 21.0.2+, 20.3.15+, or 19.2.17+.📡 Detection & Monitoring
Log Indicators:
- Unusual user input containing javascript: URLs or script tags
- Multiple failed input validation attempts
Network Indicators:
- Requests containing javascript: URLs in parameters
- Unexpected script loading from user-controlled sources
SIEM Query:
search 'javascript:' OR 'data:text/html' in web application logs