CVE-2025-66412

medium

Published 2025-12-02 · Modified 2026-06-02

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4 NEW

8.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

VIR risk

5.4

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.

Predictions

Exploit likelihood

64%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact

OS	Version	Status	Fixed in
debian	bullseye	fixed	`0`
debian	trixie	fixed	`0`
debian	bookworm	fixed	`0`
debian	sid	fixed	`0`
debian	forky	fixed	`0`

Package impact

Ecosystem	Package	Vulnerable	Fixed
npm	@angular/compiler	`>=21.0.0-next.0,<21.0.2`	`21.0.2`
npm	@angular/compiler	`>=20.0.0-next.0,<20.3.15`	`20.3.15`
npm	@angular/compiler	`>=19.0.0-next.0,<19.2.17`	`19.2.17`
npm	@angular/compiler	`<=18.2.14`

Application impact

Vendor	Product	Versions	Fixed
angular	angular	`{"endIncluding":"18.2.14"}`
angular	angular	`{"startIncluding":"19.0.0","endExcluding":"19.2.17"}`	`19.2.17`
angular	angular	`{"startIncluding":"20.0.0","endExcluding":"20.3.15"}`	`20.3.15`
angular	angular	`{"startIncluding":"21.0.0","endExcluding":"21.0.2"}`	`21.0.2`

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.