CVE-2025-66412 (High) detected in compiler-12.2.5.tgz #119
Description
CVE-2025-66412 - High Severity Vulnerability
Vulnerable Library - compiler-12.2.5.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-12.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ compiler-12.2.5.tgz (Vulnerable Library)
Found in HEAD commit: 36a9c5d28529109984de6fcc3d0a157d561dac4a
Found in base branch: master
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.
Publish Date: 2025-12-01
URL: CVE-2025-66412
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-01
Fix Resolution: https://github.com/angular/angular.git - 19.2.17,https://github.com/angular/angular.git - 20.3.15,https://github.com/angular/angular.git - 21.0.2
- Check this box to open an automated fix PR