VDB
KO
HIGH

GHSA-jrmj-c5cx-3cw6

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Details

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the `href` and `xlink:href` attributes of SVG `<script>` elements as a **Resource URL** context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, `<script [attr.href]="userInput">` the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a `data:text/javascript` URI or a link to an external malicious script.

### Impact When successfully exploited, this vulnerability allows for **arbitrary JavaScript execution** within the context of the victim's browser session. This can lead to: - **Session Hijacking:** Stealing session cookies, localStorage data, or authentication tokens. - **Data Exfiltration:** Accessing and transmitting sensitive information displayed within the application. - **Unauthorized Actions:** Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

### Attack Preconditions

1. The victim application must explicitly use SVG `<script>` elements within its templates. 2. The application must use property or attribute binding (interpolation) for the `href` or `xlink:href` attributes of those SVG scripts. 3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

### Patches - 19.2.18 - 20.3.16 - 21.0.7 - 21.1.0-rc.0

### Workarounds Until the patch is applied, developers should:

- **Avoid Dynamic Bindings**: Do not use Angular template binding (e.g., `[attr.href]`) for SVG `<script>` elements. - **Input Validation**: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

### Resources

- https://github.com/angular/angular/pull/66318

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @angular/compiler
Introduced in: 21.1.0-next.0 Fixed in: 21.1.0-rc.0
Fix npm install @angular/compiler@21.1.0-rc.0
npm / @angular/core
Introduced in: 21.1.0-next.0 Fixed in: 21.1.0-rc.0
Fix npm install @angular/core@21.1.0-rc.0
npm / @angular/compiler
Introduced in: 21.0.0-next.0 Fixed in: 21.0.7
Fix npm install @angular/compiler@21.0.7
npm / @angular/core
Introduced in: 21.0.0-next.0 Fixed in: 21.0.7
Fix npm install @angular/core@21.0.7
npm / @angular/compiler
Introduced in: 20.0.0-next.0 Fixed in: 20.3.16
Fix npm install @angular/compiler@20.3.16
npm / @angular/core
Introduced in: 20.0.0-next.0 Fixed in: 20.3.16
Fix npm install @angular/core@20.3.16
npm / @angular/compiler
Introduced in: 19.0.0-next.0 Fixed in: 19.2.18
Fix npm install @angular/compiler@19.2.18
npm / @angular/core
Introduced in: 19.0.0-next.0 Fixed in: 19.2.18
Fix npm install @angular/core@19.2.18
npm / @angular/compiler
Introduced in: 0

No fixed version published yet for @angular/compiler (npm). Pin to a known-safe version or switch to an alternative.

npm / @angular/core
Introduced in: 0

No fixed version published yet for @angular/core (npm). Pin to a known-safe version or switch to an alternative.

References