AI Components & Features
Sample Applications
Knowledge Base
FAQ
Knowledge Base / Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes (66412)
New to Kendo UI for AngularStart a free 30-day trial

Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes (66412)

Updated on Dec 8, 2025

Environment

FrameworkAngular
Affected Dependency@angular/compiler

Description

Security Notification - December 2025 - CVE-2025-66412

  • Angular Template Compiler in @angular/compiler (<= 19.2.16)

What Are the Impacts

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (for example, those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts.

Additionally, a related vulnerability exists involving SVG animation elements (<animate>, <set>, <animateMotion>, <animateTransform>). The attributeName attribute on these elements was not properly validated, allowing attackers to dynamically target security-sensitive attributes like href or xlink:href on other elements. By binding attributeName to "href" and providing a javascript: URL in the values or to attribute, an attacker could bypass sanitization and execute arbitrary code.

Attack Preconditions

For this vulnerability to be exploited, the following conditions must be met:

  • The victim's Angular application must render data derived from untrusted input (for example, from a database or API) and bind it to one of the unsanitized URL attributes or the attributeName of an SVG animation element.
  • The victim must perform a user interaction (for example, clicking) on the compromised element for the stored script to execute, or the animation must trigger the execution.

Issue

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, which falls under the category of:

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Solution

We strongly recommend updating the Angular version to at least v19.2.17 which address this issue. The update will ensure that your application is secure against this vulnerability.

Affected VersionsUpdate to
<= v19.2.16>= v19.2.17

To update your Angular version, follow the Angular update guide.

External References

In this article
EnvironmentDescriptionWhat Are the ImpactsAttack PreconditionsIssueSolutionExternal References
Not finding the help you need?
Contact Support