Untriaged
Permalink
CVE-2025-0716
4.8 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): LOW
- Availability impact (A): LOW
AngularJS improper sanitization in SVG '<image>' element
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images. This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
References
- https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915 technical-description exploit
- https://www.herodevs.com/vulnerability-directory/cve-2025-0716 third-party-advisory
- https://www.herodevs.com/vulnerability-directory/cve-2025-0716 exploit
- https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915 exploit
- https://www.herodevs.com/vulnerability-directory/cve-2025-0716 third-party-advisory
- https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915 technical-description exploit
- https://www.herodevs.com/vulnerability-directory/cve-2025-0716 exploit
- https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915 exploit
- https://www.herodevs.com/vulnerability-directory/cve-2025-0716 third-party-advisory
- https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915 technical-description exploit
- https://www.herodevs.com/vulnerability-directory/cve-2025-0716 exploit
- https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915 exploit
- https://www.herodevs.com/vulnerability-directory/cve-2025-0716 third-party-advisory
- https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915 technical-description exploit
- https://www.herodevs.com/vulnerability-directory/cve-2025-0716 exploit
- https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915 exploit
- https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html
Affected products
angular
- ==>=0.0.0
AngularJS
- ==>=0.0.0
Matching in nixpkgs
pkgs.angular-language-server
LSP for angular completions, AOT diagnostic, quick info and go to definitions
-
nixos-unstable -
- nixpkgs-unstable 20.2.1
pkgs.nodePackages.%40angular%2Fcli
CLI tool for Angular
-
nixos-unstable -
- nixpkgs-unstable 19.2.3
pkgs.nodePackages_latest.%40angular%2Fcli
CLI tool for Angular
-
nixos-unstable -
- nixpkgs-unstable 19.2.3
Package maintainers
-
@tricktron Thibault Gagnaux <tgagnaux@gmail.com>