Vulnerability Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Angular | Angular | <= 18.2.14 |
Related Weaknesses (CWE)
References
- https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc489Patch
- https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49Third Party Advisory
FAQ
What is CVE-2025-66412?
CVE-2025-66412 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting...
How severe is CVE-2025-66412?
CVE-2025-66412 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66412?
Check the references section above for vendor advisories and patch information. Affected products include: Angular Angular.