CVE-2025-66412 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. Angular is a popular development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. This vulnerability occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization mechanisms.
Specifically, the schema fails to classify certain URL-holding attributes (such as those that could contain javascript: URLs) as requiring strict URL security, enabling the injection and execution of malicious scripts. This vulnerability affects Angular versions prior to 21.0.2, 20.3.15, and 19.2.17.
Critical Impact
This HIGH severity XSS vulnerability (CVSS 8.5) allows attackers to bypass Angular's security sanitization and inject malicious JavaScript through URL-holding attributes, potentially leading to session hijacking, data theft, and unauthorized actions on behalf of authenticated users.
Affected Products
- Angular versions prior to 21.0.2
- Angular versions prior to 20.3.15
- Angular versions prior to 19.2.17
Discovery Timeline
- 2025-12-01 - CVE-2025-66412 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-66412
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting). The flaw resides within Angular's Template Compiler, specifically in its internal security schema that determines which HTML attributes require sanitization.
Angular employs a security context system to protect against XSS attacks by sanitizing potentially dangerous values. However, the internal schema used by the template compiler was found to be incomplete. Certain HTML attributes that can hold URL values were not properly marked as requiring URL security context validation.
With a CVSS 4.0 score of 8.5 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N), this vulnerability has a network attack vector with low complexity, requires low privileges, and requires user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability.
The EPSS (Exploit Prediction Scoring System) data indicates a probability of 0.052% with a percentile ranking of 16.362 as of 2025-12-16.
Root Cause
The root cause lies in an incomplete security schema within Angular's Template Compiler. The compiler maintains an internal mapping of HTML attributes to their required security contexts (such as URL, Resource URL, HTML, Script, and Style). When this schema fails to classify certain URL-holding attributes correctly, values assigned to these attributes bypass the strict URL sanitization that would normally prevent javascript: protocol URLs from being rendered.
This oversight allows malicious payloads containing javascript: URLs to be stored and subsequently executed when other users interact with the affected content.
Attack Vector
The attack vector for CVE-2025-66412 is network-based and requires the following conditions:
- Low Privileges Required: An attacker needs at least basic access to submit content to the application
- User Interaction: A victim must interact with the malicious content (e.g., clicking a link)
- Stored XSS Context: The malicious payload is stored server-side and served to other users
An attacker exploits this vulnerability by injecting a javascript: URL into an HTML attribute that the Angular Template Compiler's security schema does not recognize as requiring URL sanitization. When the compiled template renders in a victim's browser, the malicious script executes within the security context of the vulnerable application.
The vulnerability mechanism involves attributes that can contain URLs but were not included in Angular's security schema. When a template binds user-controlled data to these attributes without proper sanitization, attackers can inject executable JavaScript payloads. For detailed technical analysis, refer to the GitHub Security Advisory GHSA-v4hv-rgfq-gp49.
Detection Methods for CVE-2025-66412
Indicators of Compromise
- Presence of javascript: protocol URLs in HTML attributes within stored application data
- Unusual JavaScript execution events triggered from unexpected DOM attribute sources
- User reports of unexpected behavior or pop-ups when viewing application content
- Server logs showing submission of content containing javascript: URL schemes in attribute values
Detection Strategies
Static Code Analysis: Review Angular templates for dynamic binding to URL-holding attributes that may not be properly sanitized. Use static analysis tools to identify template bindings that could be vulnerable.
Dependency Scanning: Implement automated dependency scanning in CI/CD pipelines to detect vulnerable Angular versions. Flag any Angular packages with versions prior to 21.0.2, 20.3.15, or 19.2.17.
Content Security Policy Monitoring: Implement strict Content Security Policy (CSP) headers and monitor for CSP violation reports, which can indicate attempted XSS exploitation.
Web Application Firewall Rules: Configure WAF rules to detect and block requests containing javascript: protocol strings in parameters that could be bound to template attributes.
Monitoring Recommendations
Organizations should implement comprehensive logging for user-submitted content, particularly monitoring for patterns associated with XSS payloads. Enable browser-side CSP reporting to capture attempted script injections. SentinelOne's Singularity platform provides real-time behavioral analysis that can detect anomalous script execution patterns indicative of XSS exploitation attempts.
Consider implementing runtime application self-protection (RASP) solutions to monitor and block malicious JavaScript execution at the application layer.
How to Mitigate CVE-2025-66412
Immediate Actions Required
- Upgrade Angular to patched versions: 21.0.2, 20.3.15, or 19.2.17 immediately
- Audit existing application content for potentially malicious stored payloads containing javascript: URLs
- Implement Content Security Policy headers with strict script-src directives as a defense-in-depth measure
- Review and restrict user permissions for content submission until patches are applied
- Enable WAF rules to block requests containing javascript: protocol strings in user input
Patch Information
The Angular team has released security patches addressing this vulnerability in the following versions:
- Angular 21.x: Upgrade to 21.0.2 or later
- Angular 20.x: Upgrade to 20.3.15 or later
- Angular 19.x: Upgrade to 19.2.17 or later
The fix is available in commit 1c6b0704fb63d051fab8acff84d076abfbc4893a. This patch updates the internal security schema to properly classify URL-holding attributes, ensuring they receive appropriate sanitization.
For complete details, see the GitHub Security Advisory.
Workarounds
If immediate patching is not possible, implement the following temporary mitigations:
# Example: Implementing Content Security Policy headers in nginx
# Add to nginx server configuration block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';" always;
# Enable CSP reporting for monitoring
add_header Content-Security-Policy-Report-Only "default-src 'self'; report-uri /csp-violation-report;" always;
Additionally, implement strict input validation on the server side to reject or sanitize any content containing javascript: protocol URLs before storing it. Consider using Angular's DomSanitizer service explicitly for any user-controlled URL bindings as an additional layer of protection until the upgrade can be completed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
