CVE-2025-66021 Overview
CVE-2025-66021 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] in the OWASP Java HTML Sanitizer, a configurable library used to safely include third-party HTML in web applications. The flaw affects version 20240325.1 when HtmlPolicyBuilder is configured to allow noscript and style tags with allowTextIn inside the style tag. Attackers can craft payloads that bypass CSS sanitization and inject tags not permitted by the configured HTML policy. At the time of publication, no patch is available from the OWASP project.
Critical Impact
Successful exploitation enables script execution in the victim's browser, leading to session theft, credential harvesting, and unauthorized actions performed in the user's authenticated context.
Affected Products
- OWASP Java HTML Sanitizer version 20240325.1
- Java web applications using HtmlPolicyBuilder with noscript and style tags allowed
- Applications configured with allowTextIn inside style tags
Discovery Timeline
- 2025-11-26 - CVE-2025-66021 published to NVD
- 2025-12-30 - Last updated in NVD database
Technical Details for CVE-2025-66021
Vulnerability Analysis
The OWASP Java HTML Sanitizer is designed to filter untrusted HTML and prevent XSS while permitting safe markup defined by a configurable policy. The library fails to correctly sanitize content when a policy concurrently permits noscript elements and style elements that accept text via allowTextIn. An attacker can craft input that smuggles unsanitized markup through this configuration path. The sanitizer does not strip dangerous CSS or tag content within the style element under these conditions. Browsers ultimately render the attacker-controlled content as executable script in the trusted page context.
Root Cause
The root cause is incomplete CSS and tag sanitization logic when noscript and style tags are both allowed and allowTextIn is enabled for style. The parser treats text within style blocks differently depending on whether noscript parsing is active. This parser-state mismatch allows tags that the configured HtmlPolicyBuilder would normally reject to survive sanitization. The flaw is a classic improper neutralization of input during web page generation [CWE-79].
Attack Vector
Exploitation requires an attacker to submit crafted HTML to an application that passes user content through a vulnerable HtmlPolicyBuilder configuration. The attack is network-reachable and requires user interaction, since the victim must load the rendered page containing the sanitized output. No authentication or privileges are required on the targeted application. Successful exploitation executes arbitrary JavaScript under the origin of the hosting application. See the OWASP GitHub Security Advisory GHSA-g9gq-3pfx-2gw2 for technical details on the policy configurations that trigger the issue.
Detection Methods for CVE-2025-66021
Indicators of Compromise
- Inbound HTTP payloads containing nested <noscript> and <style> tags with unexpected child markup
- Sanitizer output retaining <script>, event handler attributes, or tags not declared in the active policy
- Anomalous outbound requests from rendered pages indicating script execution against attacker-controlled hosts
Detection Strategies
- Audit Java application dependencies for owasp:java_html_sanitizer:20240325.1 using software composition analysis tooling
- Review HtmlPolicyBuilder configurations that call allowElements("noscript", "style") combined with allowTextIn("style")
- Compare sanitizer input and output in logs to identify tags surviving filtration that are outside the declared policy
Monitoring Recommendations
- Log all HTML sanitization operations and alert on output containing <script>, on* attributes, or javascript: URIs
- Enable Content Security Policy (CSP) reporting endpoints to capture script execution attempts from sanitized content
- Monitor web application firewall (WAF) telemetry for payloads combining noscript and style elements in user-submitted HTML
How to Mitigate CVE-2025-66021
Immediate Actions Required
- Inventory applications using OWASP Java HTML Sanitizer version 20240325.1 and identify those exposing user-generated HTML
- Remove noscript and style from any HtmlPolicyBuilder allowlist until a patched release is available
- Disable allowTextIn for style tags across all sanitizer policies
- Deploy a strict Content Security Policy that blocks inline script execution as a defense-in-depth control
Patch Information
At time of publication, no patch is available from the OWASP project. Track the OWASP Java HTML Sanitizer Security Advisory for fix availability and upgrade guidance.
Workarounds
- Restrict HtmlPolicyBuilder policies to exclude noscript and style elements entirely
- Route user-submitted HTML through a secondary allowlist filter that strips style content before sanitization
- Apply CSP headers with script-src 'self' and style-src 'self' to limit impact if bypass occurs
- Encode rendered HTML output server-side when full HTML support is not required
# Example HtmlPolicyBuilder configuration removing vulnerable elements
# Avoid: .allowElements("noscript", "style").allowTextIn("style")
# Use a minimal policy until a patched release is available:
# PolicyFactory policy = new HtmlPolicyBuilder()
# .allowElements("p", "a", "b", "i", "em", "strong", "ul", "ol", "li")
# .allowUrlProtocols("https")
# .allowAttributes("href").onElements("a")
# .toFactory();
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
