CVE-2025-2336

Source
https://cve.org/CVERecord?id=CVE-2025-2336
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2336.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-2336
Aliases
Downstream
Published
2025-06-04T16:32:31.665Z
Modified
2026-07-08T06:38:32.780620476Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
Summary
AngularJS improper sanitization in SVG '<image>' element with 'ngSanitize'
Details

Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS's 'ngSanitize' module allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing  and also negatively affect the application's performance and behavior by using too large or slow-to-load images.

This issue affects AngularJS versions greater than or equal to 1.3.1.

Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/2xxx/CVE-2025-2336.json",
    "cna_assigner": "HeroDevs",
    "cwe_ids": [
        "CWE-791"
    ]
}
References

Affected packages

Git / github.com/angular/angular.js

Affected ranges

Type
GIT
Repo
https://github.com/angular/angular.js
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": ">=1.3.1"
        },
        {
            "last_affected": ">=1.3.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

>=1.*
>=1.3.1
v1.*
v1.3.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2336.json"