CVE-2025-53488: Stored XSS through system messages in WikiHiero
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	SomeRandomDeveloper
	Jun 10 2025, 7:44 PM

Description

The wikihiero-input and wikihiero-result system messages are concatenated with raw HTML in the WikiHiero extension, allowing arbitrary HTML to be inserted into the DOM by editing these system messages.

Reproduction steps

Go to Special:Hieroglyphs?uselang=x-xss in your wiki
Enter any text into the input and click Submit

Cause

The system messages are retrieved via mw.msg() and concatenated with raw HTML: https://github.com/wikimedia/mediawiki-extensions-wikihiero/blob/cdbcaea09bdf79c4ce6f6b86a9afd2fe251bb63e/modules/ext.wikihiero.special.js#L29-L32

Additional information

MediaWiki 1.45.0-alpha (b6993c3)
PHP 8.3.14 (fpm-fcgi)
WikiHiero 1.1 (cdbcaea)
Firefox 139.0 on Fedora Linux 42

Details

Risk Rating: Low
Author Affiliation: Wikimedia Communities

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
SECURITY: Insert system messages using .text() to prevent stored XSS	mediawiki/extensions/wikihiero	REL1_42	+15 -8
SECURITY: Insert system messages using .text() to prevent stored XSS	mediawiki/extensions/wikihiero	REL1_39	+15 -8
SECURITY: Insert system messages using .text() to prevent stored XSS	mediawiki/extensions/wikihiero	master	+15 -8
SECURITY: Insert system messages using .text() to prevent stored XSS	mediawiki/extensions/wikihiero	REL1_44	+15 -8
SECURITY: Insert system messages using .text() to prevent stored XSS	mediawiki/extensions/wikihiero	REL1_43	+15 -8

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
					Restricted Task
		Resolved	Security	SomeRandomDeveloper	T396524 CVE-2025-53488: Stored XSS through system messages in WikiHiero

Event Timeline

SomeRandomDeveloper created this task.Jun 10 2025, 7:44 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 10 2025, 7:44 PM

SomeRandomDeveloper claimed this task.Jun 10 2025, 7:44 PM

Patch:

01-T396524.patch1 KBDownload

SomeRandomDeveloper added a parent task: Restricted Task.Jun 10 2025, 7:48 PM

SomeRandomDeveloper added projects: affects-Miraheze, Vuln-XSS, WikiHiero.

In T396524#10901660, @SomeRandomDeveloper wrote:

Patch:

01-T396524.patch1 KBDownload

CR+1. Would be good to get this deployed this week.

Patch deployed to Wikimedia production by @Mstyles.

sbassett changed the task status from Open to In Progress.Jun 12 2025, 10:02 PM

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.

sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).Jun 12 2025, 10:06 PM

• Jly renamed this task from Stored XSS through system messages in WikiHiero to CVE-2025-53488: Stored XSS through system messages in WikiHiero.Jun 30 2025, 7:21 PM

• Jly added a subscriber: gerritbot.Jul 2 2025, 11:24 PM

Change #1166018 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/wikihiero@master] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166018

Change #1166019 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/wikihiero@REL1_44] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166019

Change #1166020 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/wikihiero@REL1_43] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166020

Change #1166021 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/wikihiero@REL1_42] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166021

Change #1166022 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/wikihiero@REL1_39] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166022

@Jly please make sure to set the author field of these and the other security patches that are currently being uploaded to gerrit so the authors are properly credited, thank you.

Change #1166021 abandoned by Jly:

[mediawiki/extensions/wikihiero@REL1_42] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166021

Change #1166022 abandoned by Jly:

[mediawiki/extensions/wikihiero@REL1_39] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166022

SomeRandomDeveloper mentioned this in T394869: CVE-2025-7056: Stored XSS through a system message in UrlShortener.Jul 4 2025, 6:51 AM

Change #1166018 merged by Jly:

[mediawiki/extensions/wikihiero@master] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166018

Change #1166020 merged by Jly:

[mediawiki/extensions/wikihiero@REL1_43] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166020

Change #1166019 merged by Jly:

[mediawiki/extensions/wikihiero@REL1_44] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166019

• Jly closed this task as Resolved.Jul 7 2025, 6:38 PM

• Jly removed a project: Patch-For-Review.

sbassett triaged this task as Low priority.Jul 7 2025, 6:40 PM

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to Low.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.9; 2025-07-08).Jul 7 2025, 7:00 PM

SomeRandomDeveloper mentioned this in T399414: XSS through system messages in WikiHiero still reproducible on certain versions.Jul 13 2025, 5:58 PM

Change #1166022 restored by SBassett:

[mediawiki/extensions/wikihiero@REL1_39] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166022

Change #1166021 restored by SBassett:

[mediawiki/extensions/wikihiero@REL1_42] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166021

Change #1166022 merged by jenkins-bot:

[mediawiki/extensions/wikihiero@REL1_39] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166022

Change #1166021 merged by SBassett:

[mediawiki/extensions/wikihiero@REL1_42] SECURITY: Insert system messages using .text() to prevent stored XSS

https://gerrit.wikimedia.org/r/1166021

CVE-2025-53488: Stored XSS through system messages in WikiHieroClosed, ResolvedPublicSecurityActions

Description

Reproduction steps

Cause

Additional information

Details

Related ObjectsSearch...

Event Timeline

CVE-2025-53488: Stored XSS through system messages in WikiHiero
Closed, ResolvedPublicSecurity
Actions

Related Objects
Search...