CVE-2025-66412

| EUVD-2025-200118 MEDIUM
2025-12-01 [email protected] GHSA-v4hv-rgfq-gp49
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 13:34 euvd
EUVD-2025-200118
Analysis Generated
Mar 15, 2026 - 13:34 vuln.today
Patch Released
Mar 15, 2026 - 13:34 nvd
Patch available
CVE Published
Dec 01, 2025 - 23:15 nvd
MEDIUM 5.4

Tags

XSS Ubuntu Debian Angular Redhat

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.

Analysis

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.

Technical Context

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

Affected Products

Affected products: Angular Angular

Remediation

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Vendor Status

Ubuntu

Priority: Medium
angular.js
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream needs-triage -
plucky ignored end of life, was needs-triage

Debian

angular.js
Release Status Fixed Version Urgency
bullseye fixed 1.8.2-2 -
bullseye (security) fixed 1.8.3-1+deb12u1~deb11u1 -
bookworm fixed 1.8.3-1+deb12u1 -
forky, sid, trixie fixed 1.8.3-3 -
(unstable) not-affected - -

Share

CVE-2025-66412 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy