Skip to content

CVE-2025-0716 (Medium) detected in angular-1.8.3.tgz #23433

@mend-bolt-for-github

Description

@mend-bolt-for-github

CVE-2025-0716 - Medium Severity Vulnerability

Vulnerable Library - angular-1.8.3.tgz

HTML enhanced for web apps

Library home page: https://registry.npmjs.org/angular/-/angular-1.8.3.tgz

Path to dependency file: /vendor/cache/manageiq-ui-classic-7f79b2437418/package.json

Path to vulnerable library: /vendor/cache/manageiq-ui-classic-7f79b2437418/package.json

Dependency Hierarchy:

  • angular-1.8.3.tgz (Vulnerable Library)

Found in HEAD commit: 99489caead4b82daad011bd2d1b5f720b8428654

Found in base branch: master

Vulnerability Details

Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing  and also negatively affect the application's performance and behavior by using too large or slow-to-load images.
This issue affects all versions of AngularJS.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-04-29

URL: CVE-2025-0716

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.


Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions