A vital Saved XSS vulnerability in Angular’s template compiler (CVE-2025-66412) permits attackers to execute arbitrary code by weaponizing SVG animation attributes.
Bypassing Angular’s built-in safety sanitization mechanisms and affecting functions utilizing variations beneath 19.2.17, 20.3.15, or 21.0.2.
The Angular template compiler consists of an incomplete safety schema that fails to categorise and sanitize URL-holding attributes and SVG animation parts correctly.
The vulnerability operates via two distinct assault vectors: unsafe URL attributes and dynamically manipulated SVG animation properties.
Weaponized SVG Animation Recordsdata
The flaw resides within the compiler’s incapacity to acknowledge particular URL-holding attributes (corresponding to xlink:href and href).
SVG animation parts (, , , ) as security-sensitive.
Attackers exploit this by binding untrusted knowledge to the attributeName attribute of SVG animations, then pointing it to delicate properties corresponding to href or xlink:href. By injecting a JavaScript URL payload into the animation’s values or attributes.
Malicious code executes when the ingredient is triggered both via person interplay or routinely by way of animation timing.
FieldValueCVE IDCVE-2025-66412Component@angular/compiler (npm)Vulnerability TypeStored Cross-Web site Scripting (XSS)CVSS Score8.6/10SeverityHighAttack VectorNetwork
When template bindings assign untrusted, user-controlled knowledge to weak attributes. (e.g., [attr.xlink:href]=”maliciousURL” or ).
The compiler incorrectly falls again to non-sanitizing contexts, permitting the harmful attribute task to move validation.
Profitable exploitation permits attackers to execute arbitrary code inside the weak utility’s area.
Resulting in session hijacking via cookie and authentication token theft, knowledge exfiltration of delicate person data, and unauthorized actions carried out on behalf of customers.
The assault requires two preconditions: the Angular utility should render untrusted enter (from databases, APIs, or person submissions).
Bind it to weak attributes or SVG animation properties, and the sufferer should both work together with the compromised ingredient or the animation should set off routinely.
Organizations should instantly improve to patched variations: Angular 19.2.17, 20.3.15, or 21.0.2, in line with GitHub advisory.
For Angular 18.x customers and not using a patch obtainable, implementing sturdy Content material Safety Coverage (CSP) headers that disallow JavaScript: URLs offers efficient mitigation.
Till upgrades are deployed, groups ought to audit template bindings to make sure untrusted knowledge by no means flows to weak SVG/MathML attributes.
SVG animation attribute Identify properties, and keep away from dynamic binding of user-controlled knowledge to those security-sensitive attributes.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
