CVE-2025-52561 is a cross-site scripting (XSS) vulnerability identified in the JuliaComputing HTMLSanitizer.jl library, a whitelist-based HTML sanitizer used to clean and sanitize HTML content. The vulnerability affects versions prior to 0.2.1 of the library. The root cause lies in the improper handling of the <style> tag when it is added to the whitelist. Specifically, the sanitizer incorrectly unescapes the content inside the <style> tag, which allows attackers to inject closing tags as part of the content. These injected closing tags are then interpreted as actual HTML elements rather than inert text, enabling the injection of arbitrary HTML and JavaScript code. This flaw can lead to the execution of malicious scripts in the context of the affected web application, resulting in a classic reflected or stored XSS attack. The vulnerability does not require any authentication or user interaction to be exploited, and it can be triggered remotely by supplying crafted HTML content that is processed by the vulnerable sanitizer. The issue has been addressed in version 0.2.1 of HTMLSanitizer.jl, where the unescaping behavior was corrected. As a temporary workaround, users can manually add the <math> and <svg> elements to the whitelist to mitigate the risk. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with an attack vector of network, low attack complexity, no privileges or user interaction required, and limited scope impact. No known exploits have been reported in the wild as of the publication date (June 23, 2025).

For European organizations, this vulnerability poses a significant risk primarily to web applications and services that incorporate the HTMLSanitizer.jl library for sanitizing user-generated or external HTML content. Exploitation could lead to unauthorized script execution in users' browsers, enabling attackers to steal sensitive information such as session cookies, perform actions on behalf of users (CSRF), or deliver malware. This can compromise confidentiality and integrity of user data and potentially disrupt service availability if leveraged for further attacks. Organizations in sectors with high web interaction, such as finance, e-commerce, healthcare, and government services, are particularly at risk. The medium severity score indicates a moderate but non-trivial threat level, especially given the lack of required authentication or user interaction. The absence of known exploits suggests limited immediate risk, but the vulnerability's nature means it could be weaponized quickly once discovered by attackers. Failure to patch or mitigate could lead to reputational damage, regulatory penalties under GDPR if personal data is compromised, and operational disruptions.

1. Immediate upgrade to HTMLSanitizer.jl version 0.2.1 or later to apply the official patch that corrects the unescaping behavior inside the <style> tag. 2. As an interim measure, manually add the <math> and <svg> elements to the whitelist in the sanitizer configuration to reduce the attack surface. 3. Conduct a thorough audit of all web applications and services using HTMLSanitizer.jl to identify vulnerable versions and usage contexts. 4. Implement Content Security Policy (CSP) headers with strict script-src directives to restrict the execution of unauthorized scripts, mitigating the impact of potential XSS attacks. 5. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) configured to detect and block suspicious HTML or script injection attempts targeting the sanitizer. 6. Educate developers on secure coding practices related to input sanitization and output encoding, emphasizing the risks of improper whitelist configurations. 7. Monitor security advisories and threat intelligence feeds for any emerging exploit attempts targeting this vulnerability to enable rapid response.