@angular/compiler 19.2.16 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @angular/compiler package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of SVG `<script>` element attributes `href` and `xlink:href` when user-controlled data is bound to these attributes. An attacker can execute arbitrary JavaScript code in the victim's browser by supplying a crafted payload through untrusted data sources that are bound to these attributes. ##Workaround This vulnerability can be mitigated by avoiding dynamic template bindings for SVG `<script>` elements and strictly validating input against a trusted allowlist before it reaches the template. How to fix Cross-site Scripting (XSS)? Upgrade `@angular/compiler` to version 19.2.18, 20.3.16, 21.0.7, 21.1.0-rc.0 or higher.	<19.2.18>=20.0.0-next.0 <20.3.16>=21.0.0-next.0 <21.0.7>=21.1.0-next.0 <21.1.0-rc.0
H Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via incomplete sanitization of certain SVG and MathML attributes, including `xlink:href`, `math\|href`, as well as the `attributeName` attribute of SVG animation elements when it is bound to `href` or `xlink:href`. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a `javascript:` URL payload into these attributes, which is then triggered either by user interaction or automatically through animation. How to fix Cross-site Scripting (XSS)? Upgrade `@angular/compiler` to version 19.2.17, 20.3.15, 21.0.2 or higher.	<19.2.17>=20.0.0-next.0 <20.3.15>=21.0.0-next.0 <21.0.2

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of SVG <script> element attributes href and xlink:href when user-controlled data is bound to these attributes. An attacker can execute arbitrary JavaScript code in the victim's browser by supplying a crafted payload through untrusted data sources that are bound to these attributes.

##Workaround

This vulnerability can be mitigated by avoiding dynamic template bindings for SVG <script> elements and strictly validating input against a trusted allowlist before it reaches the template.

How to fix Cross-site Scripting (XSS)?

Upgrade @angular/compiler to version 19.2.18, 20.3.16, 21.0.7, 21.1.0-rc.0 or higher.

<19.2.18>=20.0.0-next.0 <20.3.16>=21.0.0-next.0 <21.0.7>=21.1.0-next.0 <21.1.0-rc.0

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via incomplete sanitization of certain SVG and MathML attributes, including xlink:href, math|href, as well as the attributeName attribute of SVG animation elements when it is bound to href or xlink:href. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction or automatically through animation.

How to fix Cross-site Scripting (XSS)?

Upgrade @angular/compiler to version 19.2.17, 20.3.15, 21.0.2 or higher.

<19.2.17>=20.0.0-next.0 <20.3.15>=21.0.0-next.0 <21.0.2

@angular/compiler@19.2.16 vulnerabilities

Angular - the compiler library

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically