Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered XSS with no attacker authentication; requires victim to load the page (UI:R); scope change to victim browser (S:C); full session compromise possible (C:H/I:H).
Primary rating from Vendor (https://github.com/angular/angular).
CVSS VectorVendor: https://github.com/angular/angular
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings.
Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized.
This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS).
Impact
Any Angular application that uses two-way data binding ([()] or bindon-) on security-sensitive native DOM properties (like innerHTML, href on <a>, src on <img>/<iframe>, etc.) is vulnerable to this security bypass.
Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.
Attack Preconditions
To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist:
- Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g.,
<div [(innerHTML)]="userContent"></div>). - User-Controlled Input: The value bound to this property must be influenceable by user-controlled input.
- Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via
DomSanitizer) before passing the value to the bound property.
Patches
- 22.0.1
- 21.2.17
- 20.3.25
AnalysisAI
DOM sanitization bypass in @angular/compiler allows client-side XSS in Angular applications that use two-way property binding syntax on security-sensitive native DOM properties. The Angular template compiler's sanitizer-resolution phase omitted a case for the TwoWayProperty IR operation, meaning compiled templates with [(innerHTML)], [(src)], [(href)], [(srcdoc)], [(data)], or [(sandbox)] bindings emit the runtime ɵɵtwoWayProperty() instruction without the required sanitizer function argument, while identical one-way [property] bindings are correctly protected. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the patch diff in PR #69107 fully characterizes the missing code path.
Technical ContextAI
The Angular template compiler processes templates through a compilation pipeline defined in packages/compiler/src/template/pipeline/src/phases/resolve_sanitizers.ts. This phase iterates over IR operations and, for PropertyBinding operations targeting schema-flagged sensitive properties, injects references to runtime sanitizer functions (ɵɵsanitizeHtml, ɵɵsanitizeUrl, ɵɵsanitizeResourceUrl, ɵɵvalidateAttribute). The root cause confirmed in commit 3c70270 is that the switch-case handling this logic omitted the ir.OpKind.TwoWayProperty case - a single missing case statement. Consequently, compiled output for two-way bindings like [(innerHTML)] emits ɵɵtwoWayProperty('innerHTML', ctx.value) without a third sanitizer argument, whereas [innerHTML] correctly emits ɵɵproperty('innerHTML', ctx.value, ɵɵsanitizeHtml). The affected package is npm/@angular/compiler across versions 20.x, 21.x, and 22.x pre-patch, and all 19.x releases per GHSA-58w9-8g37-x9v5. CWE-79 (Improper Neutralization of Input During Web Page Generation) applies directly: user-supplied content reaches a security-sensitive DOM sink without neutralization.
RemediationAI
Upgrade @angular/compiler (and the corresponding @angular/core and Angular framework packages) to the patched versions released by the Angular team: 22.0.1, 21.2.17, or 20.3.25 depending on the major version in use, as documented in the GitHub security advisory at https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5. The fix is implemented in commit 3c70270c96677c0dd33585f2afe8e187113e5fb4 (PR #69107); upgrading via npm will pull in the corrected compiler and regenerate sanitized output on the next build. For applications on Angular 19.x or below, where no vendor-released patch has been identified, the most targeted compensating control is to audit all templates for use of the two-way binding syntax ([(property)] or bindon-property) on the properties innerHTML, srcdoc, src (img/iframe), href (link), data (object), and sandbox (iframe), then either rewrite those bindings as one-way [property] bindings (which are correctly sanitized) or introduce explicit DomSanitizer.sanitize() calls before values reach the binding. The trade-off of converting to one-way bindings is loss of automatic value write-back from the DOM; this is generally acceptable for security-sensitive properties where write-back is rarely meaningful. Do not rely on downstream HTML encoding or CSP alone as a compensating control - CSP can mitigate some XSS vectors but does not address all sensitive DOM properties (e.g., src and href navigation).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38268
GHSA-58w9-8g37-x9v5