HTMLSanitizer.jl Vulnerability Allows Tag Injection in Julia Library
CVE-2025-52561

6.9MEDIUM

Key Information:

Vendor

Juliacomputing

Status
Htmlsanitizer.jl
Vendor
CVE Published:
23 June 2025

What is CVE-2025-52561?

The HTMLSanitizer.jl library, a whitelist-based HTML sanitizer for Julia, has a vulnerability that arises when the style tag is added to the whitelist. In versions prior to 0.2.1, the content inside the style tag is mistakenly unescaped, allowing for the injection of content that includes closing tags. As a consequence, attackers could execute arbitrary JavaScript through tag injection during sanitation processes. This vulnerability poses a significant risk for applications utilizing this library for HTML sanitization, as it can lead to cross-site scripting attacks. The issue has been resolved in version 0.2.1, and users are advised to manually whitelist additional elements such as math and svg to mitigate risks.

Affected Version(s)

HTMLSanitizer.jl < 0.2.1

References

https://github.com/JuliaComputing/HTMLSanitizer.jl/securi...
x_refsource_CONFIRM
https://github.com/JuliaComputing/HTMLSanitizer.jl/pull/5
x_refsource_MISC
https://github.com/JuliaComputing/HTMLSanitizer.jl/commit...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.