VYPR
Medium severity5.4NVD Advisory· Published Dec 1, 2025· Updated Jun 2, 2026

CVE-2025-66412

CVE-2025-66412

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@angular/compilernpm
>= 21.0.0-next.0, < 21.0.221.0.2
@angular/compilernpm
>= 20.0.0-next.0, < 20.3.1520.3.15
@angular/compilernpm
>= 19.0.0-next.0, < 19.2.1719.2.17
@angular/compilernpm
<= 18.2.14

Affected products

3
  • Angular/Angular2 versions
    cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:*+ 1 more
    • cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:*range: <=18.2.14
    • (no CPE)range: >= 21.0.0-next.0 < 21.0.2
  • ghsa-coords
    Range: >= 21.0.0-next.0, < 21.0.2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.