CVE-2025-4690: Medium-Severity Vulnerability Detected in ManageIQ's Angular-Sanitize Library

A newly disclosed vulnerability, CVE-2025-4690, has been flagged within the ManageIQ/manageiq-ui-classic repository, exposing a potential security flaw in a core dependency. The medium-severity issue is tied directly to the `angular-sanitize-1.8.3.tgz` library, an AngularJS module responsible for sanitizing HTML to prevent cross-site scripting (XSS) attacks. The vulnerable library is embedded in the project's `/package.json` file and was identified in the latest HEAD commit on the master branch, indicating the active codebase is currently affected.

The vulnerability's presence in the HTML sanitization module is particularly significant, as this component is a first line of defense against client-side injection attacks. Its failure or compromise could undermine the security of the entire ManageIQ user interface classic. The finding was surfaced through automated security scanning, pinpointing the exact dependency path and the specific commit (`d87706978173ac6516da5e83374518c21263b77b`) where the vulnerable package is integrated. This creates a clear and immediate patch target for the project maintainers.

For organizations deploying ManageIQ, this CVE introduces a tangible security risk that requires prompt assessment. While rated as medium severity, any weakness in a sanitization library demands scrutiny, as it could be leveraged in chain attacks to escalate privileges or compromise user data. The onus is now on the ManageIQ team to evaluate the upstream fix from the AngularJS community, test a patched version, and release an update to the `manageiq-ui-classic` project to mitigate the exposure for all downstream users and deployments.