CVE-2025-61636: Codex Special:Block vulnerable to message key XSS
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Dreamy_Jazz
	May 15 2025, 10:53 AM

Description

Summary

The Codex Special:Block is vulnerable to message key XSS (per checking with the x-xss language)

Background

The x-xss language allows finding messages which are not properly escaped in MediaWiki interfaces
Codex Special:Block is a re-designed interface of the Special:Block page that is enabled when $wgUseCodexSpecialBlock = true;
When using the x-xss language on Codex Special:Block, there is a popup indicating that the ipbsubmit message is not being properly escaped

Screenshots

Acceptance criteria

Codex Special:Block is not vulnerable to message key XSS

Details

Risk Rating: Low
Author Affiliation: WMF Technology

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Revert "SECURITY: Escape rawElement $content"	mediawiki/core	REL1_44	+2 -2
Revert "SECURITY: Escape rawElement $content"	mediawiki/core	REL1_43	+2 -2
Revert "SECURITY: Escape rawElement $content"	mediawiki/core	master	+2 -2
SECURITY: Escape rawElement $content	mediawiki/core	REL1_43	+4 -2
SECURITY: Escape rawElement $content	mediawiki/core	REL1_44	+4 -2
SECURITY: Escape rawElement $content	mediawiki/core	master	+4 -2

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
			Restricted Task
			Restricted Task
Resolved	Security	dmaza	T394396 CVE-2025-61636: Codex Special:Block vulnerable to message key XSS

Event Timeline

Dreamy_Jazz created this task.May 15 2025, 10:53 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 15 2025, 10:53 AM

Dreamy_Jazz added projects: Multiblocks, MediaWiki-Blocks.May 15 2025, 10:54 AM

Restricted Application added projects: Community-Tech, Trust and Safety Product Team. · View Herald TranscriptMay 15 2025, 10:54 AM

Dreamy_Jazz updated the task description. (Show Details)May 15 2025, 10:54 AM

Dreamy_Jazz added a project: Vuln-XSS.

Dreamy_Jazz added a subscriber: MusikAnimal.

Dreamy_Jazz moved this task from Inbox to Tracking work by others on the Trust and Safety Product Team board.May 15 2025, 10:57 AM

I think this might be an issue with CodexHTMLForm. Looking into it.

In T394396#10826597, @dmaza wrote:

I think this might be an issue with CodexHTMLForm. Looking into it.

Relevant code block? That's the only place I'm seeing ipbsubmit set right now, and then it's immediately passed to setSubmitTextMsg, which CodexHTMLForm does not override. So we'd maybe want to change setSubmitTextMsg to escape messages (or maybe have some default arg option) or introduce a function like setSubmitEscapedMsg.

Just to note, I did test with the old Special:Block and didn't see the submit message causing this problem.

MusikAnimal edited projects, added Community-Tech (Sea Lion Squad); removed Community-Tech.May 15 2025, 4:15 PM

In T394396#10827176, @Dreamy_Jazz wrote:

Just to note, I did test with the old Special:Block and didn't see the submit message causing this problem.

That's correct. because the form displayFormat is ooui when codex is disabled. If you change the form displayFormat to always be codex here on SpecialBlock you will get the xss regardless, even if the new Vue special page is being not loaded.

In T394396#10827775, @dmaza wrote:

In T394396#10827176, @Dreamy_Jazz wrote:

Just to note, I did test with the old Special:Block and didn't see the submit message causing this problem.

That's correct. because the form displayFormat is ooui when codex is disabled. If you change the form displayFormat to always be codex here on SpecialBlock you will get the xss regardless, even if the new Vue special page is being not loaded.

Interesting. Hopefully that helps you narrow the issue down.

dmaza added a comment.May 16 2025, 3:50 PM

This comment was removed by dmaza.

dmaza added a project: Patch-For-Review.May 16 2025, 4:14 PM

dmaza added subscribers: • AnneT, lwatson.

Proposed fix

T394396.patch1 KBDownload

In T394396#10831178, @dmaza wrote:

Proposed fix
T394396.patch1 KBDownload

+1 from me!

In T394396#10831178, @dmaza wrote:

Proposed fix
T394396.patch1 KBDownload

Feedback (not tested locally yet):

Inside the getInputCodex function, can the buttonLabel logic be wrapped in the escape function in one line instead, like this:

$buttonLabel = htmlspecialchars( $this->buttonLabel ?: $this->getDefault() );

Then in buildCodexComponent, no change is needed:

$buttonHtml = Html::rawElement(
			'button', $attribs, $buttonLabel
		);

In T394396#10831318, @lwatson wrote:
In T394396#10831178, @dmaza wrote:

Proposed fix
T394396.patch1 KBDownload

Feedback (not tested locally yet):

Inside the getInputCodex function, can the buttonLabel logic be wrapped in the escape function in one line instead, like this:
$buttonLabel = htmlspecialchars( $this->buttonLabel ?: $this->getDefault() );
Then in buildCodexComponent, no change is needed:
$buttonHtml = Html::rawElement(
			'button', $attribs, $buttonLabel
		);

Thank you for your review. Unfortunately buildCodexComponent also gets called from CodexHTMLForm.php so we have to escape the label in that context and not before. What you are suggesting wouldn't fix this particular issue, unless I'm overlooking something.

Another alternative would be to use Html::element instead of rawElement and remove the call to htmlspecialchars

@dmaza - I think your patch in T394396#10831178 is fine. Generally, it's a best practice to escape any data as close to the relevant data sink as possible, as you've done. This typically makes the code easier to read and audit, especially for anyone who isn't immediately familiar with said code. We should try to get this security-deployed during this Monday's window (2025-05-19).

I don't understand the almost duplicate lines of code in both functions. Would it be safe to wrap the logic once in each function to ensure the values are escaped? So maybe this:

getInputCodex

$buttonLabel = htmlspecialchars( $this->buttonLabel ?: $this->getDefault() );

buildCodexComponent

$buttonHtml = Html::rawElement(
            'button', $attribs, htmlspecialchars( $buttonLabel )
);

I tested this locally and added ?uselang=x-xss&usecodex=true to the URL, and noticed no popup alert. What else should I look for? What does "success" look like?

In T394396#10831542, @lwatson wrote:
I don't understand the almost duplicate lines of code in both functions. Would it be safe to wrap the logic once in each function to ensure the values are escaped? So maybe this:

getInputCodex
$buttonLabel = htmlspecialchars( $this->buttonLabel ?: $this->getDefault() );
buildCodexComponent
$buttonHtml = Html::rawElement(
            'button', $attribs, htmlspecialchars( $buttonLabel )
);
I tested this locally and added ?uselang=x-xss&usecodex=true to the URL, and noticed no popup alert. What else should I look for? What does "success" look like?

@lwatson I don't think the lines in @dmaza's patch are duplicative - my understanding is that the htmlspecialchars call needed to be moved from the getInputCodex() method to buildCodexComponent() because some things call buildCodexComponent() directly (like CodexHTMLForm), so the escaping needs to happen there. Your suggested code for getInputCodex would only work when that's not the case and getInputCodex() is called. We also want to make sure we're only calling htmlspecialchars once.

@dmaza the code LGTM

@AnneT Thanks

@lwatson What Anne Said

In T394396#10831412, @sbassett wrote:

@dmaza - I think your patch in T394396#10831178 is fine. Generally, it's a best practice to escape any data as close to the relevant data sink as possible, as you've done. This typically makes the code easier to read and audit, especially for anyone who isn't immediately familiar with said code. We should try to get this security-deployed during this Monday's window (2025-05-19).

@sbassett I'm not typically around during that window. Do you need me or someone else to be around to test it after deployment?

Thank you both @dmaza and @AnneT! I noticed my mistake was misreading the diff file.

In T394396#10834821, @dmaza wrote:

@sbassett I'm not typically around during that window. Do you need me or someone else to be around to test it after deployment?

It would be nice, yes. For a patch like this, it probably isn't essential though, unless there are reasonable concerns about it breaking the UI in some unintended way.

sbassett added a project: SecTeam-Processed.May 19 2025, 3:23 PM

Deployed to Wikimedia production.

sbassett changed the task status from Open to In Progress.May 19 2025, 9:44 PM

sbassett triaged this task as Low priority.

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.

sbassett changed Risk Rating from N/A to Low.

sbassett removed a project: Patch-For-Review.

Mstyles mentioned this in T394397: CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS.May 27 2025, 3:37 PM

MusikAnimal moved this task from Backlog - groomed to Following on the Community-Tech (Sea Lion Squad) board.Jun 25 2025, 9:00 PM

sbassett added a parent task: Restricted Task.Jul 8 2025, 8:30 PM

sbassett assigned this task to dmaza.Jul 8 2025, 8:41 PM

Dreamy_Jazz moved this task from Backlog to Implement Codex Special:Block on the Multiblocks board.Jul 10 2025, 1:09 PM

Dreamy_Jazz edited projects, added Multiblocks (Implement Codex Special:Block); removed Multiblocks.

Reedy added a subscriber: gerritbot.Sep 17 2025, 1:37 PM

Reedy renamed this task from Codex Special:Block vulnerable to message key XSS to CVE-2025-61636: Codex Special:Block vulnerable to message key XSS.Sep 29 2025, 1:21 PM

Reedy added projects: MW-1.43-release, MW-1.44-release.Sep 29 2025, 6:29 PM

Reedy closed this task as Resolved.Oct 1 2025, 8:53 PM

Change #1193170 had a related patch set uploaded (by Reedy; author: Dmaza):

[mediawiki/core@REL1_43] SECURITY: Escape rawElement $content

https://gerrit.wikimedia.org/r/1193170

gerritbot added a project: Patch-For-Review.Oct 2 2025, 6:49 PM

Reedy added a subscriber: SomeRandomDeveloper.Oct 2 2025, 6:59 PM

I think this is a duplicate of T402313 which has a separate fix that does not double escape messages.

As I mentioned on gerrit already, as far as I can see, $this->buttonLabel seems to either be parsed (L63), escaped (L69) or intentionally raw HTML (L72). It shouldn't be escaped in buildCodexComponent. Instead, it should be marked as exec_html and escaped by the caller, which https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193175 (the fix for T402313) does already.

Change #1193170 merged by jenkins-bot:

[mediawiki/core@REL1_43] SECURITY: Escape rawElement $content

https://gerrit.wikimedia.org/r/1193170

Change #1193194 had a related patch set uploaded (by Reedy; author: Dmaza):

[mediawiki/core@REL1_44] SECURITY: Escape rawElement $content

https://gerrit.wikimedia.org/r/1193194

Change #1193194 merged by jenkins-bot:

[mediawiki/core@REL1_44] SECURITY: Escape rawElement $content

https://gerrit.wikimedia.org/r/1193194

Change #1193216 had a related patch set uploaded (by Reedy; author: Dmaza):

[mediawiki/core@master] SECURITY: Escape rawElement $content

https://gerrit.wikimedia.org/r/1193216

Change #1193216 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Escape rawElement $content

https://gerrit.wikimedia.org/r/1193216

In T394396#11238391, @SomeRandomDeveloper wrote:

As I mentioned on gerrit already, as far as I can see, $this->buttonLabel seems to either be parsed (L63), escaped (L69) or intentionally raw HTML (L72). It shouldn't be escaped in buildCodexComponent. Instead, it should be marked as exec_html and escaped by the caller, which https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193175 (the fix for T402313) does already.

I also came here to say basically this. The current fix doesn't seem like the correct approach to me.

@Reedy - should we open this task back up to address the double-escape or just file a new bug? This should just need a revert and an explanation in the commit msg, correct?

I am going to create a revert patch. My reasoning:

The parameter is now marked as @param-taint $buttonLabel exec_html since the fix for T402313
All callers outside of HTMLButtonField escape the label already: https://codesearch.wmcloud.org/search/?q=HTMLButtonField%3A%3AbuildCodexComponent&files=&excludeFiles=&repos= (this was done to fix T402313, which is the same issue as reported here)
There is another method call in HTMLButtonField, which passes the buttonLabel property to the function. This property is assigned in the following places:
- L63: Parsed message
- L67: String literal with a unicode character
- L69: Escaped string
- L72: Intentionally raw HTML string
- L126: $this->getDefault(), which will be escaped again in that line after this patch is reverted

I'll double check this in my local installation again and then create a revert.

Change #1193501 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/core@master] Revert "SECURITY: Escape rawElement $content"

https://gerrit.wikimedia.org/r/1193501

Change #1193507 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/core@REL1_44] Revert "SECURITY: Escape rawElement $content"

https://gerrit.wikimedia.org/r/1193507

Change #1193508 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/core@REL1_43] Revert "SECURITY: Escape rawElement $content"

https://gerrit.wikimedia.org/r/1193508

Change #1193501 merged by jenkins-bot:

[mediawiki/core@master] Revert "SECURITY: Escape rawElement $content"

https://gerrit.wikimedia.org/r/1193501

Change #1193508 merged by jenkins-bot:

[mediawiki/core@REL1_43] Revert "SECURITY: Escape rawElement $content"

https://gerrit.wikimedia.org/r/1193508

Change #1193507 merged by jenkins-bot:

[mediawiki/core@REL1_44] Revert "SECURITY: Escape rawElement $content"

https://gerrit.wikimedia.org/r/1193507

sbassett closed this task as Resolved.Oct 6 2025, 4:23 PM

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.