Описание
Angular has XSS Vulnerability via Unsanitized SVG Script Attributes
A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.
In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.
When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.
Impact
When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:
- Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
- Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
- Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.
Attack Preconditions
- The victim application must explicitly use SVG
<script>elements within its templates. - The application must use property or attribute binding (interpolation) for the
hreforxlink:hrefattributes of those SVG scripts. - The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).
Patches
- 19.2.18
- 20.3.16
- 21.0.7
- 21.1.0-rc.0
Workarounds
Until the patch is applied, developers should:
- Avoid Dynamic Bindings: Do not use Angular template binding (e.g.,
[attr.href]) for SVG<script>elements. - Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.
Resources
Пакеты
@angular/compiler
>= 21.1.0-next.0, < 21.1.0-rc.0
21.1.0-rc.0
@angular/core
>= 21.1.0-next.0, < 21.1.0-rc.0
21.1.0-rc.0
@angular/compiler
>= 21.0.0-next.0, < 21.0.7
21.0.7
@angular/core
>= 21.0.0-next.0, < 21.0.7
21.0.7
@angular/compiler
>= 20.0.0-next.0, < 20.3.16
20.3.16
@angular/core
>= 20.0.0-next.0, < 20.3.16
20.3.16
@angular/compiler
>= 19.0.0-next.0, < 19.2.18
19.2.18
@angular/core
>= 19.0.0-next.0, < 19.2.18
19.2.18
@angular/compiler
<= 18.2.14
Отсутствует
@angular/core
<= 18.2.14
Отсутствует
Связанные уязвимости
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Angular is a development platform for building mobile and desktop web ...