CVE-2025-66412 Overview
CVE-2025-66412 is a Stored Cross-Site Scripting (XSS) vulnerability in the Angular Template Compiler. The flaw stems from an incomplete internal security schema that fails to classify certain URL-holding attributes as requiring strict URL sanitization. Attackers can bypass Angular's built-in security sanitization by injecting javascript: URLs into these unprotected attributes, leading to script execution in the victim's browser. The vulnerability affects Angular versions prior to 21.0.2, 20.3.15, and 19.2.17. Angular has released patched versions that complete the security schema and properly enforce URL sanitization on the affected attributes.
Critical Impact
Authenticated attackers can inject persistent malicious JavaScript that executes in the context of other application users, enabling session hijacking, credential theft, and unauthorized actions.
Affected Products
- Angular versions prior to 19.2.17
- Angular versions prior to 20.3.15
- Angular versions prior to 21.0.2
Discovery Timeline
- 2025-12-01 - CVE-2025-66412 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2025-66412
Vulnerability Analysis
The vulnerability resides in the Angular Template Compiler's internal security schema, which maps HTML element attributes to their required security contexts. Angular applies context-aware sanitization based on this schema, treating attributes such as href and src as URL contexts that must be screened for dangerous protocols like javascript:.
The schema is incomplete and omits certain attributes that can hold URL values. When developers bind data to these unclassified attributes, the compiler does not invoke the URL sanitizer. Attacker-controlled values containing javascript: URIs flow through templates without filtering. When a user interacts with the rendered element, the browser evaluates the injected script.
This falls under [CWE-79] Improper Neutralization of Input During Web Page Generation. Because the data is typically persisted by the application before rendering, the attack manifests as Stored XSS, affecting any user who views the malicious content.
Root Cause
The root cause is a missing entry in the compiler's security context mapping. Specific URL-holding attributes are not classified as SECURITY_SCHEMA.URL, so the runtime sanitizer is not applied during template compilation. The fix in commit 1c6b0704fb63d051fab8acff84d076abfbc4893a extends the schema to cover the omitted attributes.
Attack Vector
Exploitation requires the attacker to control data that an Angular application binds to a vulnerable attribute in a template. A typical attack chain involves submitting a javascript: URL through a form, profile field, or API input that the application later renders in a template binding. When a victim loads the page and triggers the element, the injected script executes with the privileges of the victim's session.
The vulnerability is exploitable over the network and requires user interaction with the rendered element. Successful exploitation leads to script execution in the victim's browser context.
No public proof-of-concept exploit code has been released for CVE-2025-66412. Technical details are documented in the GitHub Security Advisory GHSA-v4hv-rgfq-gp49.
Detection Methods for CVE-2025-66412
Indicators of Compromise
- Stored user-supplied data containing javascript: URI schemes in fields rendered through Angular template bindings.
- Unexpected outbound requests from user browsers to attacker-controlled domains following page loads of Angular applications.
- Browser console errors or Content Security Policy violations referencing inline script execution from data-bound attributes.
Detection Strategies
- Audit Angular application dependencies for versions older than 19.2.17, 20.3.15, or 21.0.2 using npm list @angular/compiler or Software Bill of Materials (SBOM) tooling.
- Scan stored datastores and user-generated content for strings beginning with javascript:, data:text/html, or similarly dangerous URI schemes.
- Review Angular templates for property bindings to URL-holding attributes that bypass explicit sanitization with DomSanitizer.bypassSecurityTrustUrl.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to surface script execution from untrusted sources.
- Log and alert on Web Application Firewall (WAF) events that match javascript: payloads in request bodies and query parameters.
- Correlate browser session anomalies, such as unexpected token refresh or account modification events, with recently rendered user-generated content.
How to Mitigate CVE-2025-66412
Immediate Actions Required
- Upgrade Angular to version 21.0.2, 20.3.15, or 19.2.17 depending on the major release line in use.
- Inventory all applications using @angular/compiler and prioritize internet-facing services that render user-generated content.
- Sanitize existing stored data to remove javascript: and other dangerous URI schemes from fields rendered in templates.
Patch Information
Angular fixed the vulnerability in versions 21.0.2, 20.3.15, and 19.2.17. The corrective change is recorded in Angular commit 1c6b0704fb63d051fab8acff84d076abfbc4893a, which extends the template compiler's security schema to classify the omitted URL-holding attributes for strict sanitization. Refer to the GitHub Security Advisory GHSA-v4hv-rgfq-gp49 for the complete advisory.
Workarounds
- Apply server-side input validation that rejects URLs not beginning with http:, https:, or other approved schemes before persisting user content.
- Enforce a strict Content Security Policy that disallows javascript: URLs and inline event handlers across the application.
- Avoid using DomSanitizer.bypassSecurityTrust* methods on user-controlled data and audit existing usages for safety.
# Update Angular to a patched version using npm
npm install @angular/compiler@21.0.2 @angular/core@21.0.2
# Verify the installed version
npm list @angular/compiler
# Example strict Content Security Policy header
# Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
