Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3mrw-2h7j-zfdv
Vulnerability ID VCID-3mrw-2h7j-zfdv
Aliases CVE-2025-66412
GHSA-v4hv-rgfq-gp49
Summary Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes A **Stored Cross-Site Scripting ([XSS](https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss))** vulnerability has been identified in the **Angular Template Compiler**. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain [`javascript:` URLs](https://developer.mozilla.org/en-US/Web/URI/Reference/Schemes/javascript)) as requiring strict URL security, enabling the injection of malicious scripts. Additionally, a related vulnerability exists involving SVG animation elements (`<animate>`, `<set>`, `<animateMotion>`, `<animateTransform>`). The `attributeName` attribute on these elements was not properly validated, allowing attackers to dynamically target security-sensitive attributes like `href` or `xlink:href` on other elements. By binding `attributeName` to "href" and providing a `javascript:` URL in the `values` or `to` attribute, an attacker could bypass sanitization and execute arbitrary code. Attributes confirmed to be vulnerable include: * SVG-related attributes: (e.g., `xlink:href`), and various MathML attributes (e.g., `math|href`, `annotation|href`). * SVG animation `attributeName` attribute when bound to "href" or "xlink:href". When template binding is used to assign untrusted, user-controlled data to these attributes (e.g., `[attr.xlink:href]="maliciousURL"` or `<animate [attributeName]="'href'" [values]="maliciousURL">`), the compiler incorrectly falls back to a non-sanitizing context or fails to block the dangerous attribute assignment. This allows an attacker to inject a `javascript:URL` payload. Upon user interaction (like a click) on the element, or automatically in the case of animations, the malicious JavaScript executes in the context of the application's origin.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66412.json
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-66412
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-v4hv-rgfq-gp49
cvssv4 8.5 https://github.com/angular/angular
generic_textual HIGH https://github.com/angular/angular
cvssv4 8.5 https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a
generic_textual HIGH https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a
ssvc Track https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a
cvssv3.1_qr HIGH https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
cvssv4 8.5 https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
generic_textual HIGH https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
ssvc Track https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
cvssv4 8.5 https://nvd.nist.gov/vuln/detail/CVE-2025-66412
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2025-66412
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66412.json
https://api.first.org/data/v1/epss?cve=CVE-2025-66412
https://github.com/angular/angular
https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a
2418155 https://bugzilla.redhat.com/show_bug.cgi?id=2418155
CVE-2025-66412 https://nvd.nist.gov/vuln/detail/CVE-2025-66412
GHSA-v4hv-rgfq-gp49 https://github.com/advisories/GHSA-v4hv-rgfq-gp49
GHSA-v4hv-rgfq-gp49 https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66412.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/angular/angular
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:12:58Z/ Found at https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:12:58Z/ Found at https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-66412
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.05733
EPSS Score 0.00021
Published At April 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:53:27.394681+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/compiler/CVE-2025-66412.yml 38.0.0