CVE-2025-67475
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in MediaWiki's CommentFormatter/CommentParser.php that allows attackers to inject malicious scripts into web pages. The vulnerability affects MediaWiki installations running affected versions, potentially compromising user sessions and data. Users of vulnerable MediaWiki instances are at risk of having their browsers execute unauthorized code.
💻 Affected Systems
- Wikimedia Foundation MediaWiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface wikis, install malware on visitor browsers, or pivot to internal network attacks through compromised admin accounts.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper input validation and output encoding, the impact is limited to potential script execution in specific contexts, but modern browsers' XSS protections might block some attacks.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity, though specific exploit details for this CVE aren't publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.39.16, 1.43.6, 1.44.3, 1.45.1 or later
Vendor Advisory: https://phabricator.wikimedia.org/T406664
Restart Required: No
Instructions:
1. Backup your MediaWiki installation and database. 2. Download the patched version from mediawiki.org. 3. Replace affected files with patched versions. 4. Run update.php if database schema changes are required.
🔧 Temporary Workarounds
Input Sanitization Enhancement
allImplement additional input validation and output encoding for comment fields
# Modify LocalSettings.php to add custom sanitization rules
# Implement Content-Security-Policy headers
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Deploy web application firewall (WAF) rules specifically blocking XSS payloads in comment fields
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and compare against affected versions. Review if includes/CommentFormatter/CommentParser.php exists in installation.Check Version:
php maintenance/run.php includes/Version.php | grep 'MediaWiki'Verify Fix Applied:
Verify MediaWiki version is 1.39.16, 1.43.6, 1.44.3, 1.45.1 or later. Test comment functionality with XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual comment submissions with script tags or JavaScript code
- Multiple failed comment submissions with encoded payloads
Network Indicators:
- HTTP requests containing script tags in comment parameters
- Unusual outbound connections from MediaWiki server after comment submissions
SIEM Query:
source="mediawiki_access.log" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=")