Login Sign Up

CVE-2025-66021

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability in OWASP Java HTML Sanitizer allows cross-site scripting (XSS) attacks when the HtmlPolicyBuilder configuration permits noscript and style tags with allowTextIn inside style tags. Attackers can bypass sanitization by crafting malicious CSS payloads. This affects web applications using the vulnerable sanitizer version to process third-party HTML content.

💻 Affected Systems

Products:
  • OWASP Java HTML Sanitizer
Versions: Version 20240325.1
Operating Systems: All platforms running Java
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when HtmlPolicyBuilder configuration explicitly allows noscript and style tags with allowTextIn inside style tags.

📦 What is this software?

Java Html Sanitizer by Owasp

View all CVEs affecting Java Html Sanitizer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, credentials, or performing actions on behalf of authenticated users.

🟠

Likely Case

Targeted XSS attacks leading to session hijacking, credential theft, or defacement of web applications.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific policy configurations and crafted CSS payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2

Restart Required: Yes

Instructions:

No official patch available. Monitor the GitHub advisory for updates and apply when released.

🔧 Temporary Workarounds

Update HtmlPolicyBuilder Configuration

all

Modify sanitizer configuration to disallow noscript and style tags or restrict allowTextIn usage within style tags.

Review and update Java code using HtmlPolicyBuilder to remove vulnerable configurations

🧯 If You Can't Patch

  • Implement strict Content Security Policy headers to mitigate XSS impact
  • Apply additional input validation and output encoding layers

🔍 How to Verify

Check if Vulnerable:

Check if using OWASP Java HTML Sanitizer version 20240325.1 with HtmlPolicyBuilder allowing noscript and style tags with allowTextIn inside style tags.

Check Version:

Check Maven/Gradle dependencies or project configuration for 'owasp-java-html-sanitizer' version.

Verify Fix Applied:

Verify configuration changes by testing with XSS payloads and reviewing sanitizer output.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTML/CSS patterns in user input logs
  • Sanitizer error or warning messages

Network Indicators:

  • Suspicious JavaScript execution patterns in browser traffic

SIEM Query:

Search for patterns of noscript/style tags in user-submitted HTML content

📊 Metadata

CVE ID: CVE-2025-66021
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.02% exploit probability (3.6th percentile)
Published: November 26, 2025
Last Updated: December 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66021, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)