CVE-2025-66021 Mitigation Blocked Due to WebLogic 12 Class Loader Compatibility Issue

[jguyea]

We've recently identified a compatibility issue while attempting to upgrade our java-html-sanitizer library from version 20220608.1 to 20260102.1. While upgrading to the latest version is necessary to address CVE-2025-66021, the new release introduces a problem with the WebLogic 12 class loader in our current Java 8 environment.

The issue stems from a Java catch clause in class Java8Shim introduced in release 20240325.1, which is incompatible with the WebLogic 12 class loader. As a result, the upgrade fails, blocking our ability to mitigate the CVE.

Proposed Solution:
It appears that this issue has already been addressed in the following pull request, though the fix has not yet been included in a formal release: #343

The single-line change in this commit resolves the incompatibility with the WebLogic 12 class loader. Specifically, the WebLogic class loader returns an Exception (ClassNotFoundException) instead of the expected Error (UnsupportedClassVersionError), which is not caught by the current catch clause, leading to a failure in .

Request:
We kindly request that this pull request be expedited in an upcoming release. Its inclusion would enable us to upgrade to the latest version of the library, address CVE-2025-66021, and maintain compatibility with our environment.

Environment Details:
Application Server: WebLogic 12
Java Version: 1.8
Current Library Version: 20220608.1
Target Library Version: Latest version that addresses CVE-2025-66021 and includes the pull request fix #343

Thank you for your attention to this matter. Please let us know if further details are needed.
-- Jason

[jmanico]

I merged the relevant PR as a step towards this being released for you.

[jguyea]

I merged the relevant PR as a step towards this being released for you.

Thank you Jim!