JLSEC-2025-39

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-39.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-39.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2025-39

Aliases

CVE-2025-52561
GHSA-3mj7-qxh9-6q4p

Published

2025-10-14T04:37:19.606Z

Modified

2025-11-06T22:57:20.879752Z

Summary

Possible XSS in HTMLSanitizer when using svg elements

Details

Description

When adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution.

This behavior is similar to the sanitization bypass described in CVE-2020-4054 (Sanitize for Ruby).

using HTMLSanitizer

user_input = "<svg><style>&lt;/style>&lt;img src onerror=alert(1)>"

whitelist = deepcopy(HTMLSanitizer.WHITELIST)
append!(whitelist[:elements], ["style"])
result = sanitize(user_input, whitelist=whitelist)
print(result) # <style></style><img src onerror=alert(1)></style>

Impact

Possible XSS in any HTML that is sanitized with this library.

Patches

Users should upgrade to v0.2.1 as soon as possible. In this version, svg and math tags are removed by default.

Workarounds

Add the math and svg elements to your whitelist manually via e.g.

whitelist = deepcopy(HTMLSanitizer.WHITELIST)
append!(whitelist[:removed_elements], ["math", "svg"])

and pass this modified whitelist to sanitize:

sanitize(user_input, whitelist=whitelist)

References

PR for fix

Credits

Thanks to Chen T for finding and reporting this issue.

Database specific

{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "published": "2025-06-23T13:44:51Z",
            "url": "https://api.github.com/repos/JuliaComputing/HTMLSanitizer.jl/security-advisories/GHSA-3mj7-qxh9-6q4p",
            "modified": "2025-06-23T13:45:18Z",
            "html_url": "https://github.com/JuliaComputing/HTMLSanitizer.jl/security/advisories/GHSA-3mj7-qxh9-6q4p",
            "id": "GHSA-3mj7-qxh9-6q4p",
            "imported": "2025-10-14T02:21:59.106Z"
        }
    ]
}

References

Affected packages

Julia / HTMLSanitizer

Package

Name: HTMLSanitizer
Purl: pkg:julia/HTMLSanitizer?uuid=9a15a9f4-ddd5-46ee-89fc-c219f813dd6f

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.1

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-39.json"