CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Dreamy_Jazz
	May 15 2025, 10:39 AM

Description

Summary

The IP Info extension has a infobox widget that is currently vulnerable to message key XSS (through checking with the x-xss language). These XSS vectors should be fixed.

Background

The x-xss language allows finding messages which are not properly escaped in MediaWiki interfaces
The IP Info extension displays an "infobox" or "popup" widget on pages like Special:Contributions or the history page
- This gives the IP address being used or the IP associated with a temporary account
When using the x-xss language on Special:Contributions and the history page, there are several popup alerts that indicate the IP Info is not properly escaping these messages for both the "infobox" and "popup" widgets
The messages which are vulnerable:
- ipinfo-value-ipversion-ipv4
- ipinfo-value-ipversion-ipv6
- ipinfo-value-active-blocks
- ipinfo-value-local-edits
- ipinfo-value-recent-edits
- ipinfo-value-deleted-edits
- checkuser-ipinfo-global-contributions-value

Technical notes

To reproduce:

Set $wgUseXssLanguage to be true
Load Special:Contributions for either a temporary account or IP
Open the infobox
Accept the IPInfo preference (if needed)

Screenshots

Acceptance criteria

The IP Info "infobox" and "popup" components no longer have any messages that are vulnerable to message key XSS

Details

Author Affiliation: WMF Technology

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
SECURITY: Escape messages in IPInfo frontend	mediawiki/extensions/IPInfo	REL1_43	+6 -6
SECURITY: Escape messages in IPInfo frontend	mediawiki/extensions/IPInfo	REL1_39	+5 -6
SECURITY: Escape messages in IPInfo frontend	mediawiki/extensions/IPInfo	REL1_42	+6 -6
SECURITY: Escape messages in IPInfo frontend	mediawiki/extensions/IPInfo	master	+5 -5
SECURITY: Escape messages in IPInfo frontend	mediawiki/extensions/IPInfo	REL1_44	+5 -5
SECURITY: Escape messages in IPInfo infobox	mediawiki/extensions/CheckUser	master	+1 -1

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
					Restricted Task
		Resolved	Security	• mszabo	T394393 CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup

Event Timeline

Dreamy_Jazz created this task.May 15 2025, 10:39 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 15 2025, 10:39 AM

Dreamy_Jazz updated the task description. (Show Details)May 15 2025, 10:41 AM

Dreamy_Jazz added projects: Trust and Safety Product Team, IP Info, Vuln-XSS.

Dreamy_Jazz renamed this task from IPInfo infobox: Message key XSS through several IPInfo messages to IPInfo: Message key XSS through several IPInfo messages in infobox and popup.May 15 2025, 10:43 AM

Dreamy_Jazz updated the task description. (Show Details)

Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).

Dreamy_Jazz updated the task description. (Show Details)May 15 2025, 10:46 AM

Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.May 15 2025, 11:14 AM

Dreamy_Jazz moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.

• mszabo changed the task status from Open to In Progress.May 15 2025, 3:09 PM

• mszabo moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.

Proposed patch:

T394393.patch2 KBDownload

~~We also need one to CheckUser for checkuser-ipinfo-global-contributions-value.~~ Done below.

And for CheckUser:

T394393.patch1 KBDownload

In T394393#10826972, @mszabo wrote:

Proposed patch:
T394393.patch2 KBDownload

In T394393#10827020, @mszabo wrote:

And for CheckUser:
T394393.patch1 KBDownload

Dreamy_Jazz added a project: Patch-For-Review.May 15 2025, 3:30 PM

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.May 15 2025, 3:57 PM

sbassett added a project: SecTeam-Processed.

It seems the CheckUser issue is only present on master. Would it be acceptable to deploy the fix publicly via gerrit?

Jdforrester-WMF added a project: MW-1.45-notes (1.45.0-wmf.2; 2025-05-20).May 15 2025, 6:06 PM

The IP Info security patch has been deployed to production by @mszabo, so I think we should be able to make it public and upload to gerrit whenever we want to.

Dreamy_Jazz assigned this task to • mszabo.May 15 2025, 8:04 PM

• mszabo moved this task from In Progress to Needs QA on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.May 16 2025, 9:16 AM

sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).May 16 2025, 2:00 PM

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.May 19 2025, 8:00 PM

sbassett added a subscriber: gerritbot.

• mszabo merged a task: Restricted Task.May 21 2025, 2:49 PM

• mszabo added a subscriber: SomeRandomDeveloper.

SomeRandomDeveloper added a project: affects-Miraheze.May 21 2025, 2:52 PM

sbassett updated the task description. (Show Details)May 21 2025, 2:55 PM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 25 2025, 6:52 PM

kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.

sbassett triaged this task as Low priority.Jun 10 2025, 7:03 PM

SomeRandomDeveloper added a parent task: Restricted Task.Jun 10 2025, 7:54 PM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).Jun 16 2025, 6:12 AM

kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)); removed Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).Jul 7 2025, 9:41 AM

kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.

Change #1166901 had a related patch set uploaded (by Dreamy Jazz; author: Máté Szabó):

[mediawiki/extensions/IPInfo@master] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166901

Change #1166903 had a related patch set uploaded (by Dreamy Jazz; author: Máté Szabó):

[mediawiki/extensions/IPInfo@REL1_44] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166903

Change #1166905 had a related patch set uploaded (by Dreamy Jazz; author: Máté Szabó):

[mediawiki/extensions/IPInfo@REL1_43] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166905

Change #1166903 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@REL1_44] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166903

Change #1166911 had a related patch set uploaded (by Dreamy Jazz; author: Máté Szabó):

[mediawiki/extensions/IPInfo@REL1_42] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166911

Change #1166912 had a related patch set uploaded (by Dreamy Jazz; author: Máté Szabó):

[mediawiki/extensions/IPInfo@REL1_39] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166912

Change #1166901 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@master] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166901

Change #1166911 merged by Dreamy Jazz:

[mediawiki/extensions/IPInfo@REL1_42] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166911

Change #1166912 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@REL1_39] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166912

Change #1166905 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@REL1_43] SECURITY: Escape messages in IPInfo frontend

https://gerrit.wikimedia.org/r/1166905

mmartorana renamed this task from IPInfo: Message key XSS through several IPInfo messages in infobox and popup to CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popup.Jul 8 2025, 5:44 PM

mmartorana closed this task as Resolved.

mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".

Re-opening so that we can track QA on this.

Niharika edited projects, added Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)); removed Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)).Jul 25 2025, 3:27 PM

Dreamy_Jazz moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Jul 28 2025, 6:20 PM

Dreamy_Jazz added a project: Essential-Work.Aug 14 2025, 10:31 AM

OKryva-WMF edited projects, added Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)); removed Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)).Aug 19 2025, 10:27 AM

OKryva-WMF moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.Aug 19 2025, 10:30 AM

I think we can skip QA on this given that it's not happened in around a month.

	F60021162: T394393.patch
	May 15 2025, 3:28 PM

	F60020691: T394393.patch
	May 15 2025, 3:18 PM

	F60010417: image.png
	May 15 2025, 10:45 AM

	F60010413: image.png
	May 15 2025, 10:45 AM

CVE-2025-53482: IPInfo: Message key XSS through several IPInfo messages in infobox and popupClosed, ResolvedPublicSecurityActions