Skip to main content

HTMLSanitizer.jl CVE-2025-52561

| EUVDEUVD-2025-28447 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-06-23 security-advisories@github.com
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.2.1
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-28447
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 21:15 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

HTMLSanitizer.jl is a Whitelist-based HTML sanitizer. Prior to version 0.2.1, when adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution. This could result in possible cross-site scripting (XSS) in any HTML that is sanitized with this library. This issue has been patched in version 0.2.1. A workaround involves adding the math and svg elements to the whitelist manually.

Analysis

HTMLSanitizer.jl is a Whitelist-based HTML sanitizer. Prior to version 0.2.1, when adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution. This could result in possible cross-site scripting (XSS) in any HTML that is sanitized with this library. This issue has been patched in version 0.2.1. A workaround involves adding the math and svg elements to the whitelist manually.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Share

CVE-2025-52561 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy