CVE-2025-66021
XSS vulnerability in owasp-java-html-sanitizer (Maven)
What is CVE-2025-66021 About?
The OWASP Java HTML Sanitizer is vulnerable to Cross-Site Scripting (XSS) if the `HtmlPolicyBuilder` permits `noscript` and `style` tags with `allowTextIn` inside the style tag. This misconfiguration allows attackers to bypass sanitization and inject malicious scripts. Exploitation requires specific policy configurations and crafted payloads, making it moderately complex.
Affected Software
Technical Details
This XSS vulnerability arises when the HtmlPolicyBuilder in the OWASP Java HTML Sanitizer is configured to allow noscript and style tags, and crucially, has allowTextIn("style") enabled. The sanitizer's logic fails to correctly parse and neutralize script content embedded within style tags that are nested inside a noscript tag. Specifically, when a payload like <noscript><style></noscript><script>alert(1)</script> is passed, the sanitizer processes the noscript and style tags. Due to the allowTextIn("style") policy, the content immediately following <style> is treated as CSS and is not sanitized. However, the browser's rendering engine interprets the closing </noscript> tag, effectively terminating the noscript context. Consequently, the subsequent <script>alert(1)</script> HTML content becomes active in the browser's DOM, leading to arbitrary JavaScript execution. This behavior differs from a similar structure using a <p> tag instead of <noscript>, where the browser correctly considers the script as CSS content within the <style> tag, preventing execution.
What is the Impact of CVE-2025-66021?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or redirection to malicious sites, compromising user privacy and data integrity.
What is the Exploitability of CVE-2025-66021?
Exploitation requires the application to be using the OWASP Java HTML Sanitizer with a specific, permissive HtmlPolicyBuilder configuration: allowing noscript and style tags, and critically, enabling allowTextIn("style"). The attacker needs to inject a specially crafted HTML payload containing script content nested within noscript and style tags. This is a remote vulnerability, typically requiring no authentication or specific privileges, as it targets user-supplied input that is later rendered. The complexity is moderate, as it relies on a nuanced interaction between the sanitizer's policy and browser rendering behavior. The main risk factor is the misconfiguration of the HTML sanitizer policy in web applications that process and render untrusted user input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-66021?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2025-66021?
Similar Vulnerabilities: CVE-2023-34035 , CVE-2022-23491 , CVE-2021-43542 , CVE-2021-39185 , CVE-2021-23393
