Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"last_affected": ">= 21.0.0-next.0 < 21.0.2"
},
{
"last_affected": ">= 20.0.0-next.0 < 20.3.15"
},
{
"last_affected": ">= 19.0.0-next.0 < 19.2.17"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66412.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-79"
]
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "18.2.14"
},
{
"introduced": "19.0.0"
},
{
"fixed": "19.2.17"
},
{
"introduced": "20.0.0"
},
{
"fixed": "20.3.15"
},
{
"introduced": "21.0.0"
},
{
"fixed": "21.0.2"
}
],
"cpe": "cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:*"
}