The OWASP Java HTML Sanitizer is a configurable library designed to safely include third-party HTML content in Java web applications by sanitizing potentially dangerous input to prevent cross-site scripting (XSS). In version 20240325.1, a vulnerability (CVE-2025-66021) was identified where the HtmlPolicyBuilder allows the inclusion of noscript and style tags with the allowTextIn directive inside the style tag. This configuration flaw permits attackers to craft payloads that bypass the sanitizer's CSS sanitization mechanisms, enabling injection of malicious scripts or styles that can execute arbitrary JavaScript in the victim's browser. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The attack vector is network-based with no privileges required and no authentication needed, but user interaction is necessary to trigger the XSS. The vulnerability affects confidentiality and integrity by enabling script execution that can steal session tokens, perform actions on behalf of users, or manipulate page content. At the time of publication, no patch or fix is available, increasing the urgency for defensive measures. Although no known exploits are currently in the wild, the high CVSS score (8.6) reflects the potential impact and ease of exploitation. The vulnerability is particularly relevant for applications that rely on this sanitizer to safely render third-party HTML content, especially when policies permit the problematic tags and directives.

For European organizations, this vulnerability poses a significant risk to web applications that incorporate third-party HTML content and use the OWASP Java HTML Sanitizer version 20240325.1. Successful exploitation can lead to theft of sensitive user data such as authentication tokens, session hijacking, unauthorized actions performed on behalf of users, and defacement or manipulation of web content. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches), and cause financial losses. The vulnerability's ability to bypass sanitization of CSS and inject scripts increases the attack surface, especially in sectors with high web application usage such as finance, e-commerce, and public services. Since no patch is currently available, organizations face increased exposure until mitigations are applied. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit, increasing risk in environments with high user traffic and diverse user bases.

1. Immediately review and modify HtmlPolicyBuilder configurations to disallow noscript and style tags with allowTextIn inside style tags until a patch is released. 2. Implement additional server-side input validation and output encoding to complement the sanitizer, focusing on CSS content and style-related inputs. 3. Employ Content Security Policy (CSP) headers to restrict script execution and mitigate the impact of potential XSS attacks. 4. Conduct thorough code audits and penetration testing on web applications using this sanitizer version to identify and remediate exploitable injection points. 5. Educate developers and security teams about the vulnerability and safe configuration practices for HTML sanitization. 6. Monitor OWASP and vendor channels for updates or patches and plan prompt deployment once available. 7. Consider alternative sanitization libraries or versions not affected by this vulnerability if immediate mitigation is required. 8. Enhance user awareness to reduce the risk of social engineering attacks that could trigger the vulnerability.