Impact
Angular’s compiler incorrectly handled two‑way property bindings for DOM properties that normally require sanitization, such as innerHTML, src, href and others. When an attacker can control the value assigned to a two‑way bound property, the framework emits the property setter without applying the sanitizer, enabling execution of arbitrary client‑side script. This flaw results in a client‑side XSS vulnerability manifested when sensitive DOM properties are bound two‑ways rather than one‑way, exposing the application to script injection attacks that can compromise user data or session state.
Affected Systems
The vulnerability affects all Angular versions older than 22.0.1, 21.2.17, or 20.3.25. These releases are associated with the @angular/compiler package. Applications built with Angular 22, 21, or 20 that have not applied these specific patch releases are potentially exposed.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. The likely attack vector involves an attacker who can supply or manipulate the value of a two‑way bound property, such as through untrusted user input, template modifications, or prototype pollution. Because the sanitization is bypassed only for two‑way bindings, mitigations that enforce one‑way binding or explicit sanitization reduce the risk.
OpenCVE Enrichment
Github GHSA