CVE-2025-6594 – This XSS vulnerability in MediaWiki's ApiSandbo... (How to Fix)

Q: What is the severity of CVE-2025-6594?

CVE-2025-6594 has a CVSS score of 4.7 (MEDIUM). This XSS vulnerability in MediaWiki's ApiSandbox.js allows attackers to inject malicious scripts into web pages viewed by other users. It affects MediaWiki installations running vulnerable versions, potentially compromising user sessions and data. Administrators of affected MediaWiki instances need to patch or mitigate this issue.

📋 TL;DR

This XSS vulnerability in MediaWiki's ApiSandbox.js allows attackers to inject malicious scripts into web pages viewed by other users. It affects MediaWiki installations running vulnerable versions, potentially compromising user sessions and data. Administrators of affected MediaWiki instances need to patch or mitigate this issue.

💻 Affected Systems

Products:

Wikimedia Foundation MediaWiki

Versions: from 1.27.0 before 1.39.13, 1.42.7, 1.43.2, 1.44.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the ApiSandbox.js component specifically; all MediaWiki installations with vulnerable versions are affected regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface wikis, or distribute malware to users through compromised pages.

🟠

Likely Case

Session hijacking, cookie theft, or unauthorized actions performed in the context of logged-in users.

🟢

If Mitigated

Limited impact with proper Content Security Policy headers and input validation, though still a security concern.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity once the injection vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.39.13, 1.42.7, 1.43.2, or later

Vendor Advisory: https://phabricator.wikimedia.org/T395063

Restart Required: No

Instructions:

1. Backup your MediaWiki installation. 2. Update MediaWiki to version 1.39.13, 1.42.7, 1.43.2, or later. 3. Clear any caches if applicable. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable ApiSandbox

all

Temporarily disable the ApiSandbox feature to prevent exploitation

Add $wgEnableApiSandbox = false; to LocalSettings.php

Implement CSP Headers

all

Add Content Security Policy headers to mitigate XSS impact

Add appropriate CSP headers via web server configuration or MediaWiki extensions

🧯 If You Can't Patch

Implement strict Content Security Policy headers
Use web application firewall rules to block suspicious script injection patterns

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version in includes/DefaultSettings.php or via Special:Version page

Check Version:

grep 'wgVersion' includes/DefaultSettings.php

Verify Fix Applied:

Confirm version is 1.39.13, 1.42.7, 1.43.2 or later via Special:Version

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript in URL parameters
Suspicious requests to ApiSandbox endpoints

Network Indicators:

Script tags in query parameters
Malformed API requests

SIEM Query:

web.url:*apisandbox* AND (web.url:*<script* OR web.url:*javascript:*)

📊 Metadata

CVE ID: CVE-2025-6594

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CWE: CWE-79

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T395063