CVE-2025-52561

Published Jun 23, 2025

Last updated 12 days ago

HTMLSanitizer.jl

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-52561 affects HTMLSanitizer.jl, a Whitelist-based HTML sanitizer. In versions prior to 0.2.1, a vulnerability exists related to the handling of the style tag. When the style tag is added to the whitelist, the content within the tag is incorrectly unescaped. This incorrect unescaping allows closing tags injected as content to be interpreted as real HTML. This enables tag injection and JavaScript execution, potentially leading to cross-site scripting (XSS) attacks in HTML sanitized using this library. The issue is resolved in version 0.2.1. A workaround involves manually adding the math and svg elements to the whitelist.

Description: HTMLSanitizer.jl is a Whitelist-based HTML sanitizer. Prior to version 0.2.1, when adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution. This could result in possible cross-site scripting (XSS) in any HTML that is sanitized with this library. This issue has been patched in version 0.2.1. A workaround involves adding the math and svg elements to the whitelist manually.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Risk scores

CVSS 4.0

Type: Secondary
Base score: 6.9
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-79

Hype score: Not currently trending

References