Bug 2418155 (CVE-2025-66412)

Summary: CVE-2025-66412 angular: Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alcohan, amctagga, aoconnor, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, bniver, boliveir, brian.stansberry, darran.lofthouse, doconnor, dosoudil, eglynn, fjuma, flucifre, gmalinko, gmeno, gotiwari, gparvin, groman, istudens, ivassile, iweiss, janstey, jbalunas, jcantril, jgrulich, jhorak, jjoyce, jkoehler, jschluet, lchilton, lhh, lphiri, lsvaty, mbenjamin, mburns, mgarciac, mhackett, mosmerov, mposolda, msvehla, mvyas, nwallace, owatkins, pahickey, pberan, pdelbell, pesilva, pgrist, pjindal, pmackay, rhaigner, rmartinc, rojacob, rstancel, rstepani, sfeifer, smaestri, sostapov, ssilvert, sthorger, teagle, tom.jenkinson, tpopela, vereddy, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw exists in the template compiler of Angular as it fails to properly classify certain URL-bearing attributes (including SVG and MathML attributes such as href, xlink:href, or the attributeName of SVG animation elements) as requiring strict sanitization. As a result, an attacker who can supply untrusted data bound to those attributes may inject a malicious javascript: URL or script that persists (Stored XSS), which can execute in the context of the application's origin when rendered.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2419587, 2419589, 2419590, 2419591, 2419592, 2419593, 2419594, 2419595, 2419596, 2419597, 2419598, 2419599, 2419600, 2419601, 2419602, 2419603, 2419604, 2419605, 2419606, 2419612, 2419614, 2419608, 2419609, 2419610, 2419611, 2419613, 2419615    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-01 23:01:45 UTC 
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.