CVE-2025-67481

N/A Unknown

Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in MediaWiki's jQueryMsg JavaScript library that allows attackers to inject malicious scripts into web pages. It affects MediaWiki instances running vulnerable versions, potentially compromising users who view specially crafted content. The vulnerability exists in the client-side JavaScript processing of messages.

💻 Affected Systems

Products:

• Wikimedia Foundation MediaWiki

Versions: MediaWiki versions before 1.39.16, 1.43.6, 1.44.3, 1.45.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the jQueryMsg JavaScript library used for message parsing and localization. All MediaWiki installations using vulnerable versions are affected regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user sessions, perform actions on behalf of users, deface pages, or redirect users to malicious sites by injecting arbitrary JavaScript that executes in victims' browsers.

🟠

Likely Case

Targeted attacks against specific users through crafted messages or page content, potentially leading to session hijacking or credential theft.

🟢

If Mitigated

With proper Content Security Policy (CSP) headers and input validation, impact is reduced to limited script execution within CSP constraints.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity. The vulnerability is in client-side JavaScript, making exploitation straightforward once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.39.16, 1.43.6, 1.44.3, or 1.45.1

Vendor Advisory: https://phabricator.wikimedia.org/T251032

Restart Required: No

Instructions:

1. Backup your MediaWiki installation. 2. Update MediaWiki to version 1.39.16, 1.43.6, 1.44.3, or 1.45.1 depending on your branch. 3. Clear browser caches and MediaWiki caches. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Content Security Policy (CSP)

all

Implement strict CSP headers to limit script execution sources and reduce XSS impact

Input Validation Filter

all

Add additional input validation for user-generated content that passes through jQueryMsg

🧯 If You Can't Patch

• Implement strict Content Security Policy headers with script-src directives
• Disable or limit user-generated content features that use the vulnerable jQueryMsg library

🔍 How to Verify

Check if Vulnerable:

Copy

Check MediaWiki version in LocalSettings.php or via Special:Version page. Compare against affected versions.

Check Version:

Copy

grep 'wgVersion' LocalSettings.php or visit Special:Version

Verify Fix Applied:

Copy

Verify version is 1.39.16, 1.43.6, 1.44.3, or 1.45.1 or higher. Test message parsing functionality.

📡 Detection & Monitoring

Log Indicators:

• Unusual JavaScript in page content
• Multiple failed message parsing attempts
• Suspicious user agent strings

Network Indicators:

• Script tags in unexpected parameters
• Unusual POST/GET requests to message-related endpoints

SIEM Query:

Copy

source="mediawiki" AND (message="jquerymsg" OR message="script injection")

📊 Metadata

CVE ID: CVE-2025-67481

CVSS v3 Score: N/A (Unknown)

CWE: CWE-79

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

• https://phabricator.wikimedia.org/T251032

📤 Share This

Twitter LinkedIn Reddit Copy Link