CVE-2025-53500: Stored XSS through system messages in MassEditRegex
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	SomeRandomDeveloper
	Jun 18 2025, 1:45 PM

Description

The masseditregex-before and masseditregex-after system messages are inserted into raw HTML by the MassEditRegex extension, allowing for stored XSS by inserting malicious HTML into the messages.

Reproduction steps

Clone https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MassEditRegex/+/1160772 to get the extension working on MW >1.44, or use an MW version between 1.40-1.43 for testing this
Edit MediaWiki:Masseditregex-before to Before<script>alert('before')</script>
Edit MediaWiki:Masseditregex-after to After<script>alert('after')</script>
Go to Special:MassEditRegex, enter any existing page into the "Pages to edit:" field and click "Show preview"

Cause

The system messages are retrieved using the text output mode, which does not sanitize them, concatenated with HTML and inserted into diffEngine->getDiff via the $otitle and $ntitle parameters, which are inserted as raw HTML.

Additional information

MediaWiki: 1.45.0-alpha (b6993c3)
MassEditRegex: 4b70e3e

Details

Risk Rating: Low
Author Affiliation: Wikimedia Communities

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
SECURITY: Escape system messages in diff headers	mediawiki/extensions/MassEditRegex	REL1_42	+14 -5
SECURITY: Escape system messages in diff headers	mediawiki/extensions/MassEditRegex	REL1_39	+12 -4
SECURITY: Escape system messages in diff headers	mediawiki/extensions/MassEditRegex	REL1_43	+13 -4
SECURITY: Escape system messages in diff headers	mediawiki/extensions/MassEditRegex	REL1_44	+13 -4
SECURITY: Escape system messages in diff headers	mediawiki/extensions/MassEditRegex	master	+13 -4

Customize query in gerrit

Related Objects

Mentioned In: T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2)
Mentioned Here: rEMER4b70e3eec949: Replace removed class aliases with imports
rMWb6993c3a4220: Localisation updates from https://translatewiki.net.

Event Timeline

SomeRandomDeveloper created this task.Jun 18 2025, 1:45 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 18 2025, 1:45 PM

Added @Malvineous as the extension maintainer.

Patch (on top of https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MassEditRegex/+/1160772 which should be merged and backported to REL1_44 first; the security patch might not apply without conflicts on REL1_42 and REL1_43):

01-T397334.patch1 KBDownload

MassEditRegex does not appear to be bundled or Wikimedia-deployed, so the patch can get pushed through gerrit and we'll add it to the supplemental release once it's merged.

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jun 23 2025, 4:25 PM

sbassett added a subscriber: gerritbot.

Change #1163878 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/extensions/MassEditRegex@master] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163878

Change #1163879 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/extensions/MassEditRegex@REL1_44] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163879

Change #1163880 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/extensions/MassEditRegex@REL1_43] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163880

Change #1163881 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/extensions/MassEditRegex@REL1_42] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163881

Change #1163882 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/extensions/MassEditRegex@REL1_39] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163882

Change #1163878 merged by jenkins-bot:

[mediawiki/extensions/MassEditRegex@master] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163878

Change #1163879 merged by jenkins-bot:

[mediawiki/extensions/MassEditRegex@REL1_44] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163879

Change #1163880 merged by jenkins-bot:

[mediawiki/extensions/MassEditRegex@REL1_43] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163880

Change #1163882 merged by jenkins-bot:

[mediawiki/extensions/MassEditRegex@REL1_39] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163882

Change #1163881 merged by jenkins-bot:

[mediawiki/extensions/MassEditRegex@REL1_42] SECURITY: Escape system messages in diff headers

https://gerrit.wikimedia.org/r/1163881

Merged and backported to 1.44, 1.43, 1.42 and 1.39.

sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).Jun 25 2025, 8:54 PM

• Jly renamed this task from Stored XSS through system messages in MassEditRegex to CVE-2025-53500: Stored XSS through system messages in MassEditRegex.Jun 30 2025, 7:27 PM

• Jly removed a project: Patch-For-Review.Jul 7 2025, 6:46 PM

• Jly changed the visibility from "Custom Policy" to "Public (No Login Required)".

• Jly changed the edit policy from "Custom Policy" to "All Users".

• Jly changed Risk Rating from N/A to Low.

	F62377295: 01-T397334.patch
	Jun 18 2025, 1:54 PM

CVE-2025-53500: Stored XSS through system messages in MassEditRegexClosed, ResolvedPublicSecurityActions