CVE-2026-22610 (High) detected in core-12.2.5.tgz, compiler-12.2.5.tgz #120
Description
CVE-2026-22610 - High Severity Vulnerability
Vulnerable Libraries - core-12.2.5.tgz, compiler-12.2.5.tgz
core-12.2.5.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-12.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ core-12.2.5.tgz (Vulnerable Library)
compiler-12.2.5.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-12.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ compiler-12.2.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the "href" and "xlink:href" attributes of SVG "<script>" elements as a Resource URL context. In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections. When template binding is used to assign user-controlled data to these attributes for example, "<script [attr.href]="userInput">" the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a "data:text/javascript" URI or a link to an external malicious script. Impact When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to: - Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens. - Data Exfiltration: Accessing and transmitting sensitive information displayed within the application. - Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user. Attack Preconditions 1. The victim application must explicitly use SVG "<script>" elements within its templates. 2. The application must use property or attribute binding (interpolation) for the "href" or "xlink:href" attributes of those SVG scripts. 3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses). Patches - 19.2.18 - 20.3.16 - 21.0.7 - 21.1.0-rc.0 Workarounds Until the patch is applied, developers should: - Avoid Dynamic Bindings: Do not use Angular template binding (e.g., "[attr.href]") for SVG "<script>" elements. - Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template. Resources - angular/angular#66318
Publish Date: 2026-01-09
URL: CVE-2026-22610
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jrmj-c5cx-3cw6
Release Date: 2026-01-09
Fix Resolution: @angular/compiler - 20.3.16,@angular/compiler - 21.0.7,@angular/core - 19.2.18,@angular/core - 20.3.16,@angular/core - 21.0.7,@angular/compiler - 19.2.18