CVE-2025-0716: 
AngularJS vulnerability analysis and mitigation

CVE-2025-0716 is a vulnerability discovered in AngularJS affecting all versions of the framework. The vulnerability was disclosed on April 29, 2025, and involves improper sanitization of the 'href' and 'xlink:href' attributes in SVG elements. This security flaw allows attackers to bypass common image source restrictions (HeroDevs).

The vulnerability stems from a bug in AngularJS where setting an SVG element's href or xlink:href attribute values via the ngHref and ngAttrHref directives or using interpolation bypasses image source sanitization. The issue has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L (NVD).

The vulnerability can lead to content spoofing attacks and negatively affect application performance. Attackers can bypass configured image source restrictions, potentially leading to the loading of unauthorized images from any domain. Additionally, the bypass can be exploited to load oversized or slow-loading images, impacting the application's performance and behavior (HeroDevs).

As AngularJS is End-of-Life, no official patches will be released to address this vulnerability. Users are recommended to either migrate their applications away from AngularJS or leverage commercial support partners for post-EOL security support. For those using HeroDevs Never-Ending Support (NES), the vulnerability has been fixed in AngularJS NES v1.9.8 and v1.5.24 (HeroDevs).