Page MenuHomePhabricator
Create Task
Maniphest T386963

CVE-2025-32067: i18n XSS vulnerability in message growthexperiments-homepage-suggestededits-tasktype-description-link-recommendation
Closed, ResolvedPublicSecurity
Actions

Description

Discovered with $wgUseXssLanguage. (See T340201: Use custom language code to find i18n XSS issues)

To reproduce:

  • visit Special:Homepage with ?uselang=x-xss

Details

Risk Rating
Medium
Author Affiliation
WMF Product
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Fix XSS in Suggested editsmediawiki/extensions/GrowthExperimentsmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Michael created this task.Feb 20 2025, 6:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 20 2025, 6:26 PM
taavi added a project: GrowthExperiments-Homepage.Feb 20 2025, 6:29 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptFeb 20 2025, 6:29 PM
Michael edited projects, added GrowthExperiments, Add-Link-Structured-Task; removed GrowthExperiments-Homepage.Feb 20 2025, 6:29 PM
Michael added subscribers: Sgs, Urbanecm_WMF, Cyndymediawiksim.

I also tried to check our VisualEditor integration, but that didn't load at all, with the following error:

Uncaught Error: Syntax error, unrecognized expression: [accesskey="<script>alert('accesskey-save')</script>"><script>alert('accesskey-save')</script><x y="()"]

Should we have an extra task for that?

Michael edited projects, added GrowthExperiments-Homepage; removed GrowthExperiments.Feb 20 2025, 6:30 PM
Urbanecm_WMF triaged this task as High priority.EditedFeb 21 2025, 9:30 AM

Same vulnerability is in growthexperiments-homepage-suggestededits-tasktype-description-*, according to the code.

Urbanecm_WMF claimed this task.Feb 21 2025, 9:37 AM
Urbanecm_WMF edited projects, added Growth-Team (Current Sprint); removed Growth-Team.
Urbanecm_WMF moved this task from Incoming to Code Review on the Growth-Team (Current Sprint) board.

Fix is below:

T386963.patch1 KBDownload

@Michael (or other engineers), do you mind giving it a +2?

Urbanecm_WMF added a comment.Feb 21 2025, 9:38 AM
In T386963#10568873, @Michael wrote:

I also tried to check our VisualEditor integration, but that didn't load at all, with the following error:

Uncaught Error: Syntax error, unrecognized expression: [accesskey="<script>alert('accesskey-save')</script>"><script>alert('accesskey-save')</script><x y="()"]

Should we have an extra task for that?

Probably. That feels like an issue in VisualEditor itself, but I'm unsure if it also has security implications.

Michael added a comment.Feb 21 2025, 12:25 PM
In T386963#10570431, @Urbanecm_WMF wrote:

Fix is below:

T386963.patch1 KBDownload

@Michael (or other engineers), do you mind giving it a +2?

I'm a bit surprised that we only adjust the method for the description to parse. Are the others escaped client-side?

Urbanecm_WMF added a comment.Feb 21 2025, 3:42 PM
In T386963#10570790, @Michael wrote:

I'm a bit surprised that we only adjust the method for the description to parse. Are the others escaped client-side?

That is correct. As far as I can see, only the description is displayed using $( '<p>' ).html( this.taskTypeData.messages.description ). All other parts are displayed using the text() method, for example:

$( tagName )
	.addClass( 'suggested-edits-task-explanation-heading' )
	.text( this.taskTypeData.messages.name )

Relevant code seems to be modules/ext.growthExperiments.Homepage.SuggestedEdits/TaskExplanationWidget.js.

I wouldn't mind moving the escaping to a single location (all server side or all client side), but that should be probably done in a separate (public) patch.

Michael added a comment.Feb 21 2025, 5:54 PM
In T386963#10571408, @Urbanecm_WMF wrote:
In T386963#10570790, @Michael wrote:

I'm a bit surprised that we only adjust the method for the description to parse. Are the others escaped client-side?

That is correct. As far as I can see, only the description is displayed using $( '<p>' ).html( this.taskTypeData.messages.description ). All other parts are displayed using the text() method, for example:

$( tagName )
	.addClass( 'suggested-edits-task-explanation-heading' )
	.text( this.taskTypeData.messages.name )

Relevant code seems to be modules/ext.growthExperiments.Homepage.SuggestedEdits/TaskExplanationWidget.js.

I wouldn't mind moving the escaping to a single location (all server side or all client side), but that should be probably done in a separate (public) patch.

Thanks! That explanation and the fact that I did not observe any alerts from any of the other message keys is good enough for me. I'm hereby giving a virtual +2 to @Urbanecm_WMF's change.

Urbanecm_WMF added a subscriber: sbassett.Feb 24 2025, 9:09 AM
10:08 <urbanecm> !log Deployed security patch for T386963
10:09 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Deployed to production.

@sbassett, is it OK to backport in Gerrit and publish the task?

Urbanecm_WMF moved this task from Code Review to QA on the Growth-Team (Current Sprint) board.Feb 24 2025, 9:09 AM
sbassett added a comment.Feb 24 2025, 2:45 PM
In T386963#10574228, @Urbanecm_WMF wrote:

@sbassett, is it OK to backport in Gerrit and publish the task?

Sure.

sbassett mentioned this in T382326: Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1).Feb 24 2025, 2:46 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 24 2025, 3:31 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
gerritbot added a comment.Feb 24 2025, 3:36 PM

Change #1122163 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS in Suggested edits

https://gerrit.wikimedia.org/r/1122163

gerritbot added a project: Patch-For-Review.Feb 24 2025, 3:36 PM
Urbanecm_WMF added a project: Vuln-XSS.Feb 24 2025, 3:38 PM
gerritbot added a comment.Feb 24 2025, 4:01 PM

Change #1122163 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS in Suggested edits

https://gerrit.wikimedia.org/r/1122163

Maintenance_bot removed a project: Patch-For-Review.Feb 24 2025, 4:31 PM
ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.18; 2025-02-25).Feb 24 2025, 5:00 PM
sbassett added a project: SecTeam-Processed.Feb 24 2025, 5:05 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
Etonkovidova closed this task as Resolved.Feb 26 2025, 1:13 AM
Mstyles renamed this task from i18n XSS vulnerability in message growthexperiments-homepage-suggestededits-tasktype-description-link-recommendation to CVE-2025-32067: i18n XSS vulnerability in message growthexperiments-homepage-suggestededits-tasktype-description-link-recommendation.Apr 11 2025, 5:06 PM
Urbanecm_WMF mentioned this in T386826: Placing unexpected data in MediaWiki:GrowthMentors.json causes internal errors.Apr 28 2025, 7:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits