CVE-2025-66021: 
Java vulnerability analysis and mitigation

OWASP Java HTML Sanitizer version 20240325.1 contains a Cross-Site Scripting (XSS) vulnerability that was discovered and disclosed on November 25, 2025. The vulnerability affects the HTML sanitization process when the HtmlPolicyBuilder allows noscript and style tags with allowTextIn functionality inside the style tag (GitHub Advisory).

The vulnerability occurs specifically when HtmlPolicyBuilder allows both noscript and style tags with allowTextIn inside style tags. The issue arises from how the browser perceives noscript tags post-sanitization. When a payload combines noscript tag with style tag, the browser processes the noscript wrapper around the style tag differently, allowing script payload to be executed as valid HTML. The vulnerability has been assigned a CVSS 4.0 base score of 8.6 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability can lead to Cross-Site Scripting (XSS) attacks in applications using the affected version of the OWASP Java HTML Sanitizer. This allows attackers to execute arbitrary web scripts or HTML in the context of other users' browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions (GitHub Advisory).

At the time of publication, no known patch is available for this vulnerability. Users should avoid configuring HtmlPolicyBuilder to allow both noscript and style tags with allowTextIn functionality inside style tags (GitHub Advisory).