CVE-2025-66021: OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization

November 25, 2025 (updated November 27, 2025)

It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy.

References

github.com/OWASP/java-html-sanitizer
github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2
github.com/advisories/GHSA-g9gq-3pfx-2gw2
nvd.nist.gov/vuln/detail/CVE-2025-66021

Code Behaviors & Features

Detect and mitigate CVE-2025-66021 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →