CVE-2025-61638 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-61638?

CVE-2025-61638 has a CVSS score of N/A (Unknown). This is a cross-site scripting (XSS) vulnerability in MediaWiki and Parsoid that allows attackers to inject malicious scripts into web pages. It affects MediaWiki installations before versions 1.39.14, 1.43.4, or 1.44.1, and Parsoid before versions 0.16.6, 0.20.4, or 0.21.1. Users who visit compromised pages could have their sessions hijacked or be redirected to malicious sites.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in MediaWiki and Parsoid that allows attackers to inject malicious scripts into web pages. It affects MediaWiki installations before versions 1.39.14, 1.43.4, or 1.44.1, and Parsoid before versions 0.16.6, 0.20.4, or 0.21.1. Users who visit compromised pages could have their sessions hijacked or be redirected to malicious sites.

💻 Affected Systems

Products:

MediaWiki
Parsoid

Versions: MediaWiki: before 1.39.14, 1.43.4, 1.44.1; Parsoid: before 0.16.6, 0.20.4, 0.21.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations running vulnerable versions; no special configuration required.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, install malware on visitor devices, or pivot to internal network attacks.

🟠

Likely Case

Session hijacking, credential theft from logged-in users, or defacement of wiki pages.

🟢

If Mitigated

Limited to content manipulation within the wiki's context if proper input validation and output encoding are enforced elsewhere.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity; exploitation depends on user interaction with malicious content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki: 1.39.14, 1.43.4, 1.44.1 or later; Parsoid: 0.16.6, 0.20.4, 0.21.1 or later

Vendor Advisory: https://phabricator.wikimedia.org/T401099

Restart Required: No

Instructions:

1. Backup your MediaWiki installation. 2. Update MediaWiki to the patched version via your package manager or manual download. 3. Update Parsoid if used. 4. Clear caches and verify functionality.

🔧 Temporary Workarounds

Input Sanitization Enhancement

all

Implement additional input validation and output encoding in custom extensions or templates.

Not applicable - requires code modifications

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules.
Restrict user permissions to minimize who can edit pages with HTML/script content.

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version in includes/DefaultSettings.php or via Special:Version page; check Parsoid version via its API or configuration files.

Check Version:

For MediaWiki: grep 'wgVersion' includes/DefaultSettings.php; For Parsoid: check package.json or run 'npm list parsoid' if applicable.

Verify Fix Applied:

Confirm version numbers match or exceed patched versions; test with safe XSS payloads in sandboxed environments.

📡 Detection & Monitoring

Log Indicators:

Unusual edit patterns with script tags or JavaScript in page revisions
Access logs showing requests with malicious payloads in parameters

Network Indicators:

HTTP requests containing script injection patterns to wiki endpoints

SIEM Query:

source="mediawiki.log" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2025-61638

CVSS v3 Score: N/A (Unknown)

CWE: CWE-79

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T401099