CVE-2025-6595: Stored XSS through system messages in MultimediaViewer
Closed, ResolvedPublic3 Estimated Story PointsSecurity
Actions

Assigned To

Authored By

	SomeRandomDeveloper
	May 20 2025, 10:27 PM

Referenced Files

	F62373497: screenshot 1.mov.gif
	Jun 18 2025, 8:37 AM

	F62373496: screenshot 2.mov.gif
	Jun 18 2025, 8:37 AM

	F62306583: 01-T394863.patch
	Jun 12 2025, 9:39 PM

	F62286071: 02-T394863.patch
	Jun 10 2025, 8:46 PM

	F62285762: image.png
	Jun 10 2025, 8:04 PM

	F62285696: 01-T394863.patch
	Jun 10 2025, 7:55 PM

	F60325620: image.png
	May 20 2025, 10:42 PM

	F60325618: image.png
	May 20 2025, 10:42 PM

Subscribers

View All 14 Subscribers

Description

Multiple system messages in MultimediaViewer are vulnerable to stored XSS.

multimediaviewer-multiple-authors-combine

Cause: https://gerrit.wikimedia.org/g/mediawiki/extensions/MultimediaViewer/+/8423935d2167119bc3421a946c720138456cb6b4/resources/mmv/ui/mmv.ui.metadataPanel.js#467

multimediaviewer-repository-local

Upload a file to your wiki
Add the file to a page
Go to the page using the ?uselang=x-xss parameter
Click on the thumbnail to open it in MultimediaViewer

Cause: https://gerrit.wikimedia.org/g/mediawiki/extensions/MultimediaViewer/+/8423935d2167119bc3421a946c720138456cb6b4/resources/mmv/ui/mmv.ui.stripeButtons.js#78

multimediaviewer-view-expanded

Upload a file to your wiki
Go to the file's page while using the ?uselang=x-xss parameter
Click on the thumbnail to open it in MultimediaViewer

Cause: https://gerrit.wikimedia.org/g/mediawiki/extensions/MultimediaViewer/+/8423935d2167119bc3421a946c720138456cb6b4/resources/mmv.bootstrap/mmv.bootstrap.js#391

multimediaviewer-copy-button

Upload a file to your wiki
Add the file to a page
Go to the page using the ?uselang=x-xss parameter
Click on the thumbnail to open it in MultimediaViewer
Click the Download button in the bottom right

Cause: https://gerrit.wikimedia.org/g/mediawiki/extensions/MultimediaViewer/+/8423935d2167119bc3421a946c720138456cb6b4/resources/mmv.ui.reuse/mmv.ui.utils.js#53

multimediaviewer-download

Upload a file to your wiki
Add the file to a page
Go to the page using the ?uselang=x-xss parameter
Click on the thumbnail to open it in MultimediaViewer
Click the Download button in the bottom right

Cause: Concatenation of HTML and the unescaped message at https://github.com/wikimedia/mediawiki-extensions-MultimediaViewer/blob/8423935d2167119bc3421a946c720138456cb6b4/resources/mmv.ui.reuse/mmv.ui.download.pane.js#L83

multimediaviewer-download-preview-link-title

Cause: Calling .html() with the unescaped message as the argument: https://github.com/wikimedia/mediawiki-extensions-MultimediaViewer/blob/8423935d2167119bc3421a946c720138456cb6b4/resources/mmv.ui.reuse/mmv.ui.download.pane.js#L108

Requirement

Fix multiple stored XSS vulnerabilities in MultimediaViewer by ensuring system messages are properly escaped and not directly injected into the DOM using .html() or string concatenation.

Vulnerable messages:

multimediaviewer-multiple-authors-combine
multimediaviewer-repository-local
multimediaviewer-view-expanded
multimediaviewer-copy-button
multimediaviewer-download
multimediaviewer-download-preview-link-title

All are exploitable by manipulating the uselang parameter to x-xss, which injects arbitrary content into localized UI elements in MultimediaViewer.

BDD

Feature: XSS protection in MultimediaViewer

Scenario: Localized system messages are properly escaped
Given a file is uploaded and added to a wiki page
And the URL is accessed with ?uselang=x-xss
When the thumbnail is clicked to open MultimediaViewer
Then no XSS is executed in the following UI elements:
| Message key                                       |
| multimediaviewer-multiple-authors-combine        |
| multimediaviewer-repository-local                |
| multimediaviewer-view-expanded                   |
| multimediaviewer-copy-button                     |
| multimediaviewer-download                        |
| multimediaviewer-download-preview-link-title     |

Test Steps

Test Case 1: Validate XSS is not triggered in multimediaviewer-multiple-authors-combine

Upload a file to the wiki
Add the file to a wiki page
Visit the page with ?uselang=x-xss
Click the thumbnail to open MultimediaViewer
AC1: Confirm the multiple authors label is shown without script execution

Test Case 2: Validate XSS is not triggered in multimediaviewer-repository-local

Repeat steps from Test Case 1
AC2: Confirm repository name in MultimediaViewer is not executable HTML

Test Case 3: Validate XSS is not triggered in multimediaviewer-view-expanded

Visit the file’s page directly (not via a content page)
Add ?uselang=x-xss to the URL
Click the file to open in MultimediaViewer
AC3: Confirm view-expanded label is escaped

Test Case 4: Validate XSS is not triggered in multimediaviewer-copy-button

Open any file with ?uselang=x-xss
Open MultimediaViewer and click “Download”
AC4: Confirm Copy button text is safe

Test Case 5: Validate XSS is not triggered in multimediaviewer-download

Open MultimediaViewer with ?uselang=x-xss
Click “Download”
AC5: Confirm Download label is not executing HTML

Test Case 6: Validate XSS is not triggered in multimediaviewer-download-preview-link-title

Open MultimediaViewer and click “Download” tab
AC6: Confirm preview link title is escaped properly

QA Results - Prod

AC	Status	Details
1	✅	T394863#10926943
2	✅	T394863#10926943
3	✅	T394863#10926943
4	✅	T394863#10926943
5	✅	T394863#10926943
6	✅	T394863#10926943

Details

Risk Rating: Low
Author Affiliation: Wikimedia Communities

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
SECURITY: Fix unescaped mw.msg usage	mediawiki/extensions/MultimediaViewer	REL1_39	+3 -3
SECURITY: Fix unescaped mw.msg usage	mediawiki/extensions/MultimediaViewer	REL1_42	+3 -3
SECURITY: Fix unescaped mw.msg usage	mediawiki/extensions/MultimediaViewer	REL1_43	+6 -6
SECURITY: Fix unescaped mw.msg usage	mediawiki/extensions/MultimediaViewer	REL1_44	+6 -6
SECURITY: Fix unescaped mw.msg usage	mediawiki/extensions/MultimediaViewer	master	+7 -7

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Reedy	T389313 Formally EOL MW 1.42
Resolved		Reedy	T389302 Release MediaWiki 1.39.13/1.42.7/1.43.2
			Restricted Task
			Restricted Task
Resolved	Security	Jdrewniak	T394863 CVE-2025-6595: Stored XSS through system messages in MultimediaViewer

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 20 2025, 10:27 PM

SomeRandomDeveloper added a parent task: Restricted Task.May 20 2025, 10:28 PM

SomeRandomDeveloper removed a parent task: Restricted Task.

SomeRandomDeveloper added a parent task: Restricted Task.

SomeRandomDeveloper updated the task description. (Show Details)May 20 2025, 10:31 PM

SomeRandomDeveloper updated the task description. (Show Details)May 20 2025, 10:42 PM

SomeRandomDeveloper updated the task description. (Show Details)May 20 2025, 10:45 PM

SomeRandomDeveloper added a project: affects-Miraheze.May 20 2025, 11:11 PM

Aklapper added a project: MediaViewer.May 21 2025, 6:40 AM

sbassett added a project: Vuln-XSS.May 21 2025, 3:11 PM

sbassett added a project: SecTeam-Processed.May 27 2025, 3:55 PM

sbassett moved this task from Incoming to Watching on the Security-Team board.

Jdlrobson-WMF added a project: Web-Team.May 30 2025, 4:01 PM

Jdlrobson-WMF added subscribers: ovasileva, SToyofuku-WMF, Jdrewniak.

@sbassett do we have an assessment of how urgent this is? Both for prioritization and figuring out how quickly we can remedy it

In T394863#10871968, @SToyofuku-WMF wrote:

@sbassett do we have an assessment of how urgent this is? Both for prioritization and figuring out how quickly we can remedy it

It's low risk but something we should definitely fix. If someone has a patch, it can get posted here for review, so that we can privately deploy it to production.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.May 30 2025, 8:00 PM

sbassett changed Risk Rating from N/A to Low.

Sounds good, thank you! I'll discuss with our engineers about how long we think it would take us to get a patch together. I'll also tag our product manager in Slack to let her know that this has come up and get her input on when we should start work on it. My sense is likely this will be picked up in our upcoming sprint (beginning Wednesday the 4th), but I'll let her be the judge of that

@ovasileva I triaged as high given it's a security vuln, but feel free to set the priority lower, especially given the above

Jdlrobson-WMF set the point value for this task to 3.Jun 2 2025, 5:41 PM

Jdlrobson-WMF moved this task from Q4 to Sprint Backlog on the Web-Team board.

These issues looks pretty straight-forward to fix. Either just s/append/text/ or s/mw.msg(...)/mw.message(...).escaped()/ for the affected lines.

SToyofuku-WMF moved this task from Sprint Backlog to Q4 Sprint 5 (June 4 2025 - 18 June) on the Web-Team board.Jun 4 2025, 5:36 PM

SToyofuku-WMF edited projects, added Web-Team (Q4 Sprint 5 (June 4 2025 - 18 June)); removed Web-Team.

Jdlrobson-WMF added a project: Readers Essential Work 2025.Jun 4 2025, 5:44 PM

Jdlrobson-WMF moved this task from Backlog to Requests on the Readers Essential Work 2025 board.

KSarabia-WMF claimed this task.Jun 10 2025, 4:01 PM

KSarabia-WMF moved this task from Ready for development to In progress on the Web-Team (Q4 Sprint 5 (June 4 2025 - 18 June)) board.

01-T394863.patch4 KBDownload

KSarabia-WMF added a project: Patch-For-Review.Jun 10 2025, 7:57 PM

In T394863#10901700, @KSarabia-WMF wrote:

01-T394863.patch4 KBDownload

I'm pretty sure mw.msg( '...' ) returns a string, so you can't use .escaped() on it. This change breaks MMV for me. You have to use mw.message( '...' ).escaped() instead, see also the messages documentation: https://www.mediawiki.org/wiki/Manual:Messages_API#Format_options

Sorry @SomeRandomDeveloper. See here

02-T394863.patch4 KBDownload

In T394863#10901925, @KSarabia-WMF wrote:

Sorry @SomeRandomDeveloper. See here
02-T394863.patch4 KBDownload

This one works fine for me.
Minor suggestion for improvement, .text() could be used here instead of adding the escaped message as HTML:

diff --git a/resources/mmv.ui.reuse/mmv.ui.download.pane.js b/resources/mmv.ui.reuse/mmv.ui.download.pane.js
index 51b2cbfd..cb098935 100644
--- a/resources/mmv.ui.reuse/mmv.ui.download.pane.js
+++ b/resources/mmv.ui.reuse/mmv.ui.download.pane.js
@@ -105,7 +105,7 @@ class DownloadPane extends UiElement {
                this.$previewLink = $( '<a>' )
                        .attr( 'target', '_blank' )
                        .addClass( 'cdx-docs-link' )
-                       .html( mw.message( 'multimediaviewer-download-preview-link-title' ).escaped() )
+                       .text( mw.msg( 'multimediaviewer-download-preview-link-title' ) )
                        .appendTo( $container );
        }

@SomeRandomDeveloper Thanks. Just to confirm: should this patch for review only fix the mw.msg() usage in mmv.ui.download.pane.js, or should I update similar patterns in the other mentioned files too?

Patch LGTM (with or without @SomeRandomDeveloper 's modification). Personally I prefer being explicit and using escaped.

@sbassett would you be able to arrange the merge and deploy to Gerrit ? (I am going to be out from tomorrow)

In T394863#10902084, @Jdlrobson-WMF wrote:

@sbassett would you be able to arrange the merge and deploy to Gerrit ? (I am going to be out from tomorrow)

Yes. We'd likely want to discretely deploy this as a security patch to Wikimedia production. And then it would be released with the next core security release, since it's a bundled extension.

sbassett added a parent task: Restricted Task.Jun 10 2025, 9:36 PM

sbassett moved this task from Watching to Security Patch To Deploy on the Security-Team board.

Updated patch taking into account @SomeRandomDeveloper's suggestion above in T394863#10901988

-                       .html( mw.message( 'multimediaviewer-download-preview-link-title' ).escaped() )
+                       .text( mw.msg( 'multimediaviewer-download-preview-link-title' ) )

(only in resources/mmv.ui.reuse/mmv.ui.download.pane.js):

01-T394863.patch4 KBDownload

...which @Mstyles should be deploying to production shortly.

Patch deployed to Wikimedia production by @Mstyles.

sbassett changed the task status from Open to In Progress.Jun 12 2025, 10:07 PM

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.

Over to Edward for QA

Edtadros updated the task description. (Show Details)Jun 18 2025, 7:53 AM

Test Result - Prod

Status: ✅ PASS
Environment: testwiki
OS: macOS Sequoia 15.5
Browser: Chrome Canary (latest as of test date)
Device: MS
Emulated Device: NA

Test Steps

Test Case 1: Validate XSS is not triggered in multimediaviewer-multiple-authors-combine

Upload a file to the wiki
Add the file to a wiki page
Visit the page with ?uselang=x-xss
Click the thumbnail to open MultimediaViewer
✅ AC1: Confirm the multiple authors label is shown without script execution

see below
Test Case 2: Validate XSS is not triggered in multimediaviewer-repository-local

Repeat steps from Test Case 1
✅ AC2: Confirm repository name in MultimediaViewer is not executable HTML

see below
Test Case 3: Validate XSS is not triggered in multimediaviewer-view-expanded

Visit the file’s page directly (not via a content page)
Add ?uselang=x-xss to the URL
Click the file to open in MultimediaViewer
✅ AC3: Confirm view-expanded label is escaped

see below
Test Case 4: Validate XSS is not triggered in multimediaviewer-copy-button

Open any file with ?uselang=x-xss
Open MultimediaViewer and click “Download”
✅ AC4: Confirm Copy button text is safe

see below
Test Case 5: Validate XSS is not triggered in multimediaviewer-download

Open MultimediaViewer with ?uselang=x-xss
Click “Download”
✅ AC5: Confirm Download label is not executing HTML

see below
Test Case 6: Validate XSS is not triggered in multimediaviewer-download-preview-link-title

Open MultimediaViewer and click “Download” tab
✅ AC6: Confirm preview link title is escaped properly

see below

I'm not entirely sure what I"m looking for here, but I didn't see any dialogs, or console messages that that were outside of normal behavior.

Edtadros moved this task from In progress to Sign-off on the Web-Team (Q4 Sprint 5 (June 4 2025 - 18 June)) board.Jun 18 2025, 8:37 AM

Edtadros updated the task description. (Show Details)

Afaik $wgUseXssLanguage is disabled on all (public) WMF wikis, so this can't be tested easily without spinning up a local MW instance. If it was enabled, all messages on the screen (at least those that don't use inContentLanguage) would appear as <script>alert('message-key')</script>"><script>alert('message-key')</script><x y="()

Jdrewniak claimed this task.Jun 18 2025, 5:29 PM

Reedy added a subscriber: GerritBot.Jun 24 2025, 8:11 PM

Reedy closed this task as Resolved.Jun 24 2025, 8:25 PM

Reedy added projects: MW-1.43-release, MW-1.44-release.Jun 24 2025, 10:50 PM

rEMMVa8a5247c5e8f: Use mw.msg shortcut seems to be related on numerous of the changes being fixed here... That's only in REL1_43 and REL1_44.

It looks like the patch therefore only partially applies to REL1_42/REL1_39 -- mmv.ui.download.pane.js and mmv.ui.utils.js don't apply.

Reedy renamed this task from Stored XSS through system messages in MultimediaViewer to CVE-2025-6595: Stored XSS through system messages in MultimediaViewer.Jun 24 2025, 11:27 PM

Reedy edited subscribers, added: gerritbot; removed: GerritBot.Jun 30 2025, 1:44 PM

Change #1165080 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_43] T394863

https://gerrit.wikimedia.org/r/1165080

Change #1165089 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_39] T394863

https://gerrit.wikimedia.org/r/1165089

Change #1165106 had a related patch set uploaded (by Reedy; author: Kimberly Sarabia):

[mediawiki/extensions/MultimediaViewer@master] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165106

Change #1165106 merged by jenkins-bot:

[mediawiki/extensions/MultimediaViewer@master] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165106

Change #1165089 abandoned by Reedy:

[mediawiki/core@REL1_39] T394863

https://gerrit.wikimedia.org/r/1165089

Change #1165080 abandoned by Reedy:

[mediawiki/core@REL1_43] T394863

https://gerrit.wikimedia.org/r/1165080

Change #1165128 had a related patch set uploaded (by Reedy; author: Kimberly Sarabia):

[mediawiki/extensions/MultimediaViewer@REL1_44] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165128

Change #1165129 had a related patch set uploaded (by Reedy; author: Kimberly Sarabia):

[mediawiki/extensions/MultimediaViewer@REL1_43] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165129

Change #1165130 had a related patch set uploaded (by Reedy; author: Kimberly Sarabia):

[mediawiki/extensions/MultimediaViewer@REL1_42] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165130

Change #1165140 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_42] T394863

https://gerrit.wikimedia.org/r/1165140

Change #1165140 abandoned by Reedy:

[mediawiki/core@REL1_42] T394863

https://gerrit.wikimedia.org/r/1165140

Change #1165144 had a related patch set uploaded (by Reedy; author: Kimberly Sarabia):

[mediawiki/extensions/MultimediaViewer@REL1_39] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165144

Change #1165128 merged by jenkins-bot:

[mediawiki/extensions/MultimediaViewer@REL1_44] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165128

Change #1165144 merged by jenkins-bot:

[mediawiki/extensions/MultimediaViewer@REL1_39] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165144

Change #1165130 merged by jenkins-bot:

[mediawiki/extensions/MultimediaViewer@REL1_42] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165130

Change #1165129 merged by jenkins-bot:

[mediawiki/extensions/MultimediaViewer@REL1_43] SECURITY: Fix unescaped mw.msg usage

https://gerrit.wikimedia.org/r/1165129

sbassett removed a project: Patch-For-Review.Jul 8 2025, 8:55 PM

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jul 8 2025, 9:14 PM

CVE-2025-6595: Stored XSS through system messages in MultimediaViewerClosed, ResolvedPublic3 Estimated Story PointsSecurityActions

Description

Requirement

BDD

Test Steps

QA Results - Prod

Details

Related ObjectsSearch...

Event Timeline

Test Result - Prod

Test Steps

CVE-2025-6595: Stored XSS through system messages in MultimediaViewer
Closed, ResolvedPublic3 Estimated Story PointsSecurity
Actions

Related Objects
Search...