CVE-2025-52561
BaseFortify
Publication date: 2025-06-23
Last updated on: 2025-06-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade HTMLSanitizer.jl to version 0.2.1 or later. As a workaround, manually add the math and svg elements to the whitelist to prevent tag injection and JavaScript execution.
Can you explain this vulnerability to me?
This vulnerability exists in HTMLSanitizer.jl versions prior to 0.2.1 when the style tag is added to the whitelist. The content inside the style tag is incorrectly unescaped, allowing closing tags injected as content to be interpreted as real HTML. This enables tag injection and JavaScript execution, leading to possible cross-site scripting (XSS) attacks.
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting (XSS) attacks in any HTML sanitized with the affected library. An attacker could inject malicious scripts that execute in the context of the user's browser, potentially stealing sensitive information, hijacking user sessions, or performing other malicious actions.