Page MenuHomePhabricator
Create Task
Maniphest T394397

CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS
Closed, ResolvedPublicSecurity
Actions

Description

Summary

Special:PendingChanges is vulnerable to i18n XSS (per checking with the x-xss language)

Background

  • The x-xss language allows finding messages which are not properly escaped in MediaWiki interfaces
  • Special:PendingChanges allows users to see pages that have changes pending and was redesigned using Codex a few months back
  • When using the x-xss language on Special:PendingChanges, there is are multiple popups indicating that messages introduce i18n XSS. These include:
    • pendingchanges-diff
    • pendingchanges-table-watching
    • pendingchanges-table-pending-since
    • pendingchanges-table-size
    • pendingchanges-table-review
    • pendingchanges-table-page
    • pendingchanges-table-footer
    • pendingchanges-table-caption

Screenshots

image.png (682×1 px, 145 KB)

Acceptance criteria

  • Special:PendingChanges is not vulnerable to message key XSS

Details

Risk Rating
Medium
Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Escape rawElement contentmediawiki/extensions/FlaggedRevsmaster+10 -8
SECURITY: Escape rawElement contentmediawiki/extensions/FlaggedRevsREL1_44+10 -8
SECURITY: Escape rawElement contentmediawiki/extensions/FlaggedRevsREL1_43+10 -8
Security: Escape rawElement contentmediawiki/extensions/FlaggedRevsREL1_42+400 -0
Security: Escape rawElement contentmediawiki/extensions/FlaggedRevsREL1_39+1 K -0
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.May 15 2025, 11:05 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 15 2025, 11:05 AM
Dreamy_Jazz added projects: Vuln-XSS, FlaggedRevs.May 15 2025, 11:06 AM
Ladsgroup subscribed.May 15 2025, 11:10 AM
sbassett changed the task status from Open to In Progress.May 19 2025, 4:37 PM
sbassett changed Author Affiliation from N/A to WMF Technology.
sbassett changed Risk Rating from N/A to Medium.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Mstyles subscribed.May 27 2025, 3:24 PM

@Dreamy_Jazz are you intending to work on this ticket or should I look for another contributor?

Dreamy_Jazz added a comment.EditedMay 27 2025, 3:27 PM

Hi @Mstyles. This isn't in Trust and Safety Product Team team owned code, so I'm not sure I could work on it with my WMF hat on (given the focus on Temporary accounts to get ready for a deployment)

I might have space as a volunteer to work on this, but not for at least a few weeks. So I'd suggest finding someone else if this needs to be fixed sooner for a security release.

Mstyles added a comment.May 27 2025, 3:32 PM

@Dreamy_Jazz thank you for reporting this issue. I'll ask around and see if anyone is interested in working on this.

Mstyles added a subscriber: dmaza.May 27 2025, 3:37 PM

@dmaza @lwatson you recently addressed a codex issue in T394396, do you think you could take a look at this issue?

Mstyles added a subscriber: lwatson.May 27 2025, 3:37 PM
sbassett added a subscriber: AnneT.May 27 2025, 4:12 PM
dmaza added a comment.May 27 2025, 5:40 PM
In T394397#10859895, @Mstyles wrote:

@dmaza @lwatson you recently addressed a codex issue in T394396, do you think you could take a look at this issue?

Sure, I can take a look sometime this week.

dmaza added a comment.May 27 2025, 8:57 PM

01-T394397.patch2 KBDownload

I think this should do it. Unaware of who is the right person to ping to review for review. @Dreamy_Jazz, do you think you or someone from Trust and Safety Product Team can take a look?

Dreamy_Jazz added a comment.May 28 2025, 12:55 PM

Trust and Safety Product Team don't own this extension, but I can take a look.

dmaza added a comment.May 28 2025, 1:02 PM
In T394397#10863396, @Dreamy_Jazz wrote:

Trust and Safety Product Team don't own this extension, but I can take a look.

Oh sorry, my bad. I misread and thought it was owned by tsp.
And thank you for taking a look.

Dreamy_Jazz added a comment.May 28 2025, 1:03 PM

I applied the patch locally and saw that it fixes the XSS but causes some HTML to be displayed as text where it shouldn't be:

image.png (560×978 px, 52 KB)

Dreamy_Jazz added a comment.May 28 2025, 1:08 PM

I think that can be fixed by passing the $chip parameter in as a ::rawParam. That shouldn't cause XSS because the HTML in $chip has already escaped the formatted count.

dmaza added a comment.May 28 2025, 7:52 PM

02-T394397.patch2 KBDownload

Woops. Not sure how I missed that. Thank you.

It seems that the plural syntax is currently broken on that message so that's a different issue.

Dreamy_Jazz added a comment.May 29 2025, 10:16 AM

+2

We can't fix the i18n issue through a security patch, so as it is broken already we can continue to keep it as-is.

sbassett moved this task from In Progress to Security Patch To Deploy on the Security-Team board.May 29 2025, 2:59 PM
Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Jun 2 2025, 10:13 PM
In T394397#10865690, @dmaza wrote:

02-T394397.patch2 KBDownload

Woops. Not sure how I missed that. Thank you.

It seems that the plural syntax is currently broken on that message so that's a different issue.

Deployed

Mstyles mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).Jun 9 2025, 4:23 PM
sbassett triaged this task as Low priority.Jun 10 2025, 7:01 PM
Jly renamed this task from Special:PendingChanges vulnerable to i18n XSS to CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS.Jun 30 2025, 7:20 PM
Jly closed this task as Resolved.Jul 2 2025, 2:42 PM
Jly claimed this task.
Jly reopened this task as Open.Jul 2 2025, 4:03 PM
Jly added a subscriber: gerritbot.
gerritbot added a comment.Jul 2 2025, 4:09 PM

Change #1165929 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/FlaggedRevs@master] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165929

gerritbot added a project: Patch-For-Review.Jul 2 2025, 4:09 PM

Change #1165930 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/FlaggedRevs@REL1_44] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165930

gerritbot added a comment.Jul 2 2025, 4:11 PM

Change #1165932 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/FlaggedRevs@REL1_43] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165932

gerritbot added a comment.Jul 2 2025, 4:12 PM

Change #1165933 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/FlaggedRevs@REL1_42] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165933

gerritbot added a comment.Jul 2 2025, 4:12 PM

Change #1165934 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/FlaggedRevs@REL1_39] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165934

gerritbot added a comment.Jul 2 2025, 5:25 PM

Change #1165933 abandoned by Jly:

[mediawiki/extensions/FlaggedRevs@REL1_42] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165933

gerritbot added a comment.Jul 2 2025, 5:25 PM

Change #1165934 abandoned by Jly:

[mediawiki/extensions/FlaggedRevs@REL1_39] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165934

gerritbot added a comment.Jul 2 2025, 5:25 PM

Change #1165932 abandoned by Jly:

[mediawiki/extensions/FlaggedRevs@REL1_43] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165932

gerritbot added a comment.Jul 2 2025, 5:27 PM

Change #1165933 restored by Jly:

[mediawiki/extensions/FlaggedRevs@REL1_42] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165933

gerritbot added a comment.Jul 2 2025, 5:27 PM

Change #1165932 restored by Jly:

[mediawiki/extensions/FlaggedRevs@REL1_43] Security: Escape rawElement content

https://gerrit.wikimedia.org/r/1165932

gerritbot added a comment.Jul 3 2025, 12:13 PM

Change #1165933 abandoned by Jly:

[mediawiki/extensions/FlaggedRevs@REL1_42] Security: Escape rawElement content

Reason:

Not supported in 1.42

https://gerrit.wikimedia.org/r/1165933

gerritbot added a comment.Jul 7 2025, 3:06 PM

Change #1165932 merged by jenkins-bot:

[mediawiki/extensions/FlaggedRevs@REL1_43] SECURITY: Escape rawElement content

https://gerrit.wikimedia.org/r/1165932

gerritbot added a comment.Jul 7 2025, 3:12 PM

Change #1165929 merged by jenkins-bot:

[mediawiki/extensions/FlaggedRevs@master] SECURITY: Escape rawElement content

https://gerrit.wikimedia.org/r/1165929

gerritbot added a comment.Jul 7 2025, 3:19 PM

Change #1165930 merged by jenkins-bot:

[mediawiki/extensions/FlaggedRevs@REL1_44] SECURITY: Escape rawElement content

https://gerrit.wikimedia.org/r/1165930

Jly closed this task as Resolved.Jul 7 2025, 4:11 PM
Jly removed a project: Patch-For-Review.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 7 2025, 5:18 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
Novem_Linguae subscribed.Jul 7 2025, 8:41 PM

I can help with tickets like this. Speaking generally, feel free to add me to security tickets for PageTriage, SecurePoll, and FlaggedRevs. Those are the 3 extensions I'm watching and focusing on at the moment.

SecurityPatchBot reopened this task as Open.Jul 7 2025, 11:53 PM
SecurityPatchBot raised the priority of this task from Low to Unbreak Now!.
SecurityPatchBot added a parent task: T392179: 1.45.0-wmf.9 deployment blockers.

Patch 01-T394397.patch is currently failing to apply for the most recent code in the mainline branch of extensions/FlaggedRevs. This is blocking MediaWiki release 1.45.0-wmf.9(T392179)

If the patch needs to be rebased

To unblock the release, a new version of the patch can be placed at the right location in the deployment server with the following Scap command:

REVISED_PATCH=<path_to_revised_patch>
scap update-patch --message-body 'Rebase to solve merge conflicts with mainline code' /srv/patches/1.45.0-wmf.9/extensions/FlaggedRevs/01-T394397.patch "$REVISED_PATCH"

If the patch has been made public

To unblock the release, the patch can be removed for the right version from the deployment server with the following Scap command:

scap remove-patch --message-body 'Remove patch already made public' /srv/patches/1.45.0-wmf.9/extensions/FlaggedRevs/01-T394397.patch

(Note that if patches for the version don't exist yet, they will be created and the patch you specified removed)

Dreamy_Jazz closed this task as Resolved.Jul 8 2025, 6:59 AM
Dreamy_Jazz lowered the priority of this task from Unbreak Now! to Low.

Removed the security patch as it's merged in the master branch

Dreamy_Jazz removed a parent task: T392179: 1.45.0-wmf.9 deployment blockers.Jul 8 2025, 6:59 AM
Tacsipacsi subscribed.Jul 8 2025, 8:15 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits