Conversation
smartinellibenedetti
approved these changes
Dec 16, 2025
Contributor
smartinellibenedetti
left a comment
smartinellibenedetti
left a comment
There was a problem hiding this comment.
Confirmed that we're not vulnerable to it!
Contributor
There was a problem hiding this comment.
Pull request overview
This PR documents CVE-2025-66021, a vulnerability in the OWASP Java HTML Sanitizer that does not affect Rundeck or Runbook Automation. The documentation clarifies that the products don't use the vulnerable configuration (HtmlPolicyBuilder with allowTextIn for the style tag), establishing this as a false positive for security scanning tools.
Key Changes:
- Added new CVE documentation file explaining why CVE-2025-66021 doesn't impact Rundeck/Runbook Automation
- Updated the CVE index to include a reference to the new advisory
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| docs/history/cves/cve-2025-66021.md | New documentation file explaining that CVE-2025-66021 is a false positive for Rundeck and Runbook Automation |
| docs/history/cves/index.md | Added entry for CVE-2025-66021 to the "Additional CVE Notes" section of the security notices index |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request adds documentation for CVE-2025-66021, clarifying that Rundeck and Runbook Automation are not affected by this vulnerability related to the OWASP Java HTML Sanitizer.
Security advisory documentation updates:
cve-2025-66021.mdexplaining that Rundeck and Runbook Automation are not vulnerable to CVE-2025-66021, as they do not useHtmlPolicyBuilderwithallowTextInfor thestyletag.index.mdto include a reference to the new CVE-2025-66021 advisory.