Overview
CVE-2025-66021 details a Cross-Site Scripting (XSS) vulnerability identified in version 20240325.1 of the OWASP Java HTML Sanitizer. This library is widely used to sanitize HTML input, preventing malicious scripts from being injected into web applications. The vulnerability arises when the HtmlPolicyBuilder allows both <noscript> and <style> tags with allowTextIn inside the style tag. This configuration can be exploited to bypass sanitization and inject arbitrary JavaScript code.
Published on 2025-11-26T02:15:49.723, this issue highlights a potential weakness in the HTML sanitization process when specific configurations are used.
Technical Details
The vulnerability lies in the specific configuration of the HtmlPolicyBuilder. When <noscript> and <style> tags are permitted, and allowTextIn is enabled within the <style> tag, attackers can craft malicious payloads that bypass the sanitizer. The core issue is the potential for uncontrolled or poorly validated CSS within the <style> tag. This allows injection of HTML/Javascript code that is not explicitly allowed by the HTML policy.
Essentially, a crafted payload that evades the CSS sanitization rules and utilizes tags not anticipated by the HTML policy can result in successful XSS exploitation.
Example Scenario:
<style>
body { background: url("javascript:alert('XSS')"); }
</style>
In this scenario, if the CSS sanitization is inadequate, the javascript:alert('XSS') within the `url()` function will execute when the page is rendered.
CVSS Analysis
Currently, the CVE details state that the severity is N/A and the CVSS score is N/A. This likely means a formal CVSS score hasn’t been calculated or assigned yet. However, based on the potential impact of a successful XSS attack, the severity should be considered at least Medium, potentially even High, depending on the context of the affected application and the sensitivity of the data it handles. A CVSS score will depend on factors like attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
Possible Impact
A successful XSS attack exploiting CVE-2025-66021 can have serious consequences:
- Data Theft: Attackers can steal sensitive user data, including cookies, session tokens, and personal information.
- Account Takeover: Malicious scripts can be used to hijack user accounts.
- Defacement: The attacker can modify the appearance of the web page, potentially redirecting users to malicious sites or displaying misleading information.
- Malware Distribution: The compromised website can be used to distribute malware to unsuspecting users.
Mitigation or Patch Steps
As of the publication date of this article, no known patch is available. Therefore, the following mitigation strategies are recommended:
- Review HTML Policy: Carefully review and tighten the HTML policy used with the OWASP Java HTML Sanitizer. Specifically, scrutinize the use of
<noscript>and<style>tags, especially withallowTextIn. Consider removing or restricting these configurations. - Contextual Output Encoding: Implement robust output encoding to ensure that any HTML rendered on the page is properly escaped based on the context. This is crucial even with sanitization in place.
- Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) with rules to detect and block XSS attempts. Regularly update the WAF ruleset to address emerging threats.
- Input Validation: Implement strict input validation on all user-supplied data. While sanitization handles HTML, other forms of input validation can prevent other types of attacks.
- Monitor Security Advisories: Keep a close watch on the OWASP Java HTML Sanitizer project’s security advisories and release notes for updates and patches. Apply any patches as soon as they become available.
