Page MenuHomePhabricator
Create Task
Maniphest T398636

CVE-2025-61657: Stored XSS through system messages in sticky header buttons in Vector
Closed, ResolvedPublicSecurity
Actions

Description

The JS implementation for copying button labels to the sticky header in the Vector skin unescapes HTML characters, allowing for stored XSS through system messages.

Reproduction

  1. Edit any of the affected messages (vector-2022-view-history, nstab-talk, unwatch, vector-2022-view-edit) to the following payload: <img src="" onerror="alert('Sticky Header Button XSS')">.
  2. Visit any mainspace article in the wiki using the Vector 2022 skin.

image.png (558×970 px, 50 KB)

Cause

Similarly to T396685, when copying the button labels, the innerHTML of the new element is set to the textContent of the old element: https://github.com/wikimedia/mediawiki-skins-Vector/blob/baac7c4788f174b8e985c7b691fcc159985330f6/resources/skins.vector.js/stickyHeader.js#L66
This unescapes any escaped HTML characters and causes the contents of the system messages to be interpreted as HTML.

Additional information

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Insert sticky header labels as text instead of HTMLmediawiki/skins/Vectormaster+1 -1
SECURITY: Insert sticky header labels as text instead of HTMLmediawiki/skins/VectorREL1_44+1 -1
SECURITY: Insert sticky header labels as text instead of HTMLmediawiki/skins/VectorREL1_43+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

SomeRandomDeveloper created this task.Jul 3 2025, 2:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 3 2025, 2:14 PM
SomeRandomDeveloper claimed this task.Jul 3 2025, 2:14 PM
SomeRandomDeveloper added projects: Vector 2022, Vuln-XSS.
SomeRandomDeveloper added a project: affects-Miraheze.

01-T398636.patch1 KBDownload

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Jul 7 2025, 4:27 PM
sbassett added a project: SecTeam-Processed.
Mstyles subscribed.Jul 7 2025, 4:56 PM
In T398636#10972807, @SomeRandomDeveloper wrote:

01-T398636.patch1 KBDownload

+2 going to deploy this during the security deploy window today

Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Jul 7 2025, 9:37 PM
In T398636#10980133, @Mstyles wrote:
In T398636#10972807, @SomeRandomDeveloper wrote:

01-T398636.patch1 KBDownload

+2 going to deploy this during the security deploy window today

Deployed

sbassett added a parent task: T397767: Tracking bug for MediaWiki 1.39.14/1.43.4/1.44.1.Jul 7 2025, 9:44 PM
SomeRandomDeveloper mentioned this in T400585: Use img elements for x-xss language code.Jul 27 2025, 9:49 PM
SomeRandomDeveloper added a parent task: T400585: Use img elements for x-xss language code.Aug 1 2025, 11:37 AM
SecurityPatchBot triaged this task as Unbreak Now! priority.Aug 25 2025, 11:53 PM
SecurityPatchBot added a parent task: T396377: 1.45.0-wmf.16 deployment blockers.
Patch is blocking upcoming release

Patch 02-T398636.patch is currently failing to apply for the most recent code in the mainline branch of skins/Vector. This is blocking MediaWiki release 1.45.0-wmf.16(T396377)

If the patch needs to be rebased

A new version of the patch can be placed at the right location in the deployment server with the following Scap command:

REVISED_PATCH=<path_to_revised_patch>
scap update-patch --message-body 'Rebase to solve merge conflicts' /srv/patches/next/skins/Vector/02-T398636.patch "$REVISED_PATCH"

If the patch has been made public

The patch can be dropped in the deployment server with the following Scap command:

scap remove-patch --message-body 'Dropping patch already made public' /srv/patches/next/skins/Vector/02-T398636.patch
Aklapper added a comment.Aug 26 2025, 7:51 AM

This needed a rebase due to a4fcdc183e28d87cbadc670c08278c9976a745a8:

01-T398636.patch1 KBDownload

Aklapper removed a parent task: T396377: 1.45.0-wmf.16 deployment blockers.Aug 26 2025, 8:58 AM
Aklapper lowered the priority of this task from Unbreak Now! to Needs Triage.Aug 26 2025, 9:18 AM
sbassett subscribed.Aug 26 2025, 6:14 PM

Thanks @Aklapper for getting this updated on deployment!

Reedy added a subscriber: gerritbot.Sep 17 2025, 1:37 PM
Reedy renamed this task from Stored XSS through system messages in sticky header buttons in Vector to CVE-2025-61657: Stored XSS through system messages in sticky header buttons in Vector.Sep 29 2025, 1:42 PM
Reedy added projects: MW-1.43-release, MW-1.44-release.Sep 29 2025, 11:06 PM
SecurityPatchBot triaged this task as Unbreak Now! priority.Sep 30 2025, 1:31 AM
SecurityPatchBot added a parent task: T405677: 1.45.0-wmf.21 deployment blockers.
Patch is blocking this week's MediaWiki train!

Patch 02-T398636.patch is currently failing to apply for version 1.45.0-wmf.21 of skins/Vector. MW train cannot move forward until the patch is fixed (T405677)
Please note you can disregard any existing previous messages in this task from SecurityPatchBot concerning version 1.45.0-wmf.21. To unblock the train, run one of the commands in this message

If the patch needs to be rebased

A new version of the patch can be placed at the right location in the deployment server with the following Scap command:

REVISED_PATCH=<path_to_revised_patch>
scap update-patch --message-body 'Rebase to solve merge conflicts' /srv/patches/1.45.0-wmf.21/skins/Vector/02-T398636.patch "$REVISED_PATCH"

If the patch has been made public

The patch can be dropped in the deployment server with the following Scap command:

scap remove-patch --message-body 'Dropping patch already made public' /srv/patches/1.45.0-wmf.21/skins/Vector/02-T398636.patch
hashar added subscribers: Reedy, hashar.EditedSep 30 2025, 9:27 AM

The patch went to be in conflict with Gerrit 1192262 - stickyHeader.js: Remove duplicate comment by @Reedy. I have resolved the trivial conflict and pushed the patch as:

/srv/patches/next/skins/Vector/02-T398636.patch
/srv/patches/1.45.0-wmf.21/skins/Vector/02-T398636.patch

I have committed the conflict resolution as 20d78d953ae259e13f26eefdebc7fecffdbb7be2

hashar mentioned this in T405677: 1.45.0-wmf.21 deployment blockers.Sep 30 2025, 9:55 AM
hashar unsubscribed.Sep 30 2025, 11:45 AM
SomeRandomDeveloper lowered the priority of this task from Unbreak Now! to Needs Triage.Sep 30 2025, 11:31 PM
hashar removed a parent task: T405677: 1.45.0-wmf.21 deployment blockers.Oct 1 2025, 1:01 PM
Reedy closed this task as Resolved.Oct 1 2025, 8:53 PM
gerritbot added a comment.Oct 2 2025, 8:09 PM

Change #1193204 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/skins/Vector@REL1_43] SECURITY: Insert sticky header labels as text instead of HTML

https://gerrit.wikimedia.org/r/1193204

gerritbot added a project: Patch-For-Review.Oct 2 2025, 8:09 PM
gerritbot added a comment.Oct 2 2025, 8:25 PM

Change #1193204 merged by jenkins-bot:

[mediawiki/skins/Vector@REL1_43] SECURITY: Insert sticky header labels as text instead of HTML

https://gerrit.wikimedia.org/r/1193204

gerritbot added a comment.Oct 2 2025, 9:23 PM

Change #1193237 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/skins/Vector@REL1_44] SECURITY: Insert sticky header labels as text instead of HTML

https://gerrit.wikimedia.org/r/1193237

gerritbot added a comment.Oct 2 2025, 9:37 PM

Change #1193237 merged by jenkins-bot:

[mediawiki/skins/Vector@REL1_44] SECURITY: Insert sticky header labels as text instead of HTML

https://gerrit.wikimedia.org/r/1193237

gerritbot added a comment.Oct 2 2025, 11:30 PM

Change #1193269 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/skins/Vector@master] SECURITY: Insert sticky header labels as text instead of HTML

https://gerrit.wikimedia.org/r/1193269

gerritbot added a comment.Oct 3 2025, 12:18 AM

Change #1193269 merged by jenkins-bot:

[mediawiki/skins/Vector@master] SECURITY: Insert sticky header labels as text instead of HTML

https://gerrit.wikimedia.org/r/1193269

SomeRandomDeveloper added a comment.Sun, Apr 5, 11:32 PM

Could this be made public?

sbassett triaged this task as Medium priority.Mon, Apr 6, 2:06 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett removed a project: Patch-For-Review.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
Bugreporter2 awarded a token.Tue, Apr 7, 11:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits