Page MenuHomePhabricator
Create Task
Maniphest T401526

CVE-2026-0669: Path Traversal vulnerability in CSS extension on certain web servers
Closed, ResolvedPublicSecurity
Actions

Description

Forward-slashes can be represented by %2F in URIs and web servers like NGINX normalise it by default (while others others like Apache also support it when configured).
To use the example PoC provided in T369486, this would successfully load on such a server:

{{#css: /..%2Findex.php?title=CSS/Path traversal/styles.css&action=raw&ctype=text/css}}<!--
--><div class="purple"></div>

Again, backward-slashes can be represented by %5c so this would work, too, on some servers (the patch for T369486 was incomplete):

{{#css: /..%5cindex.php?title=CSS/Path traversal/styles.css&action=raw&ctype=text/css}}<!--
--><div class="purple"></div>

This behaviour is less common as far as I can see.

Details

Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Normalise URL encodings to prevent path traversalmediawiki/extensions/CSSREL1_39+5 -3
SECURITY: Normalise URL encodings to prevent path traversalmediawiki/extensions/CSSREL1_44+5 -3
SECURITY: Normalise URL encodings to prevent path traversalmediawiki/extensions/CSSREL1_43+5 -3
SECURITY: Normalise URL encodings to prevent path traversalmediawiki/extensions/CSSmaster+5 -3
Customize query in gerrit

Related Objects

Event Timeline

Redmin created this task.Aug 9 2025, 11:14 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 9 2025, 11:14 AM
Redmin added a project: MediaWiki-extensions-CSS.Aug 9 2025, 11:16 AM
Redmin added subscribers: BlankEclair, Nad, GICodeWarrior.

The easiest (but obviously 'hackiest') solution would be to just normalise these in the extension.

sbassett edited projects, added SecTeam-Processed, Vuln-DirectoryTraversal; removed Security-Team.Aug 11 2025, 5:03 PM
sbassett added subscribers: gerritbot, sbassett.EditedAug 12 2025, 4:01 PM

As this extension isn't bundled or Wikimedia-deployed, an eventual security patch can just go through gerrit.

gerritbot added a comment.Oct 8 2025, 10:02 AM

Change #1194575 had a related patch set uploaded (by R4356thwiki; author: R4356thwiki):

[mediawiki/extensions/CSS@master] SECURITY: Normalise URL encodings to prevent path traversal

https://gerrit.wikimedia.org/r/1194575

gerritbot added a project: Patch-For-Review.Oct 8 2025, 10:02 AM
Redmin claimed this task.Oct 8 2025, 10:37 AM
Redmin added a subscriber: SomeRandomDeveloper.Oct 14 2025, 2:30 PM
SomeRandomDeveloper renamed this task from Path Traversal vulnerabilty in CSS extension on certain web servers to Path Traversal vulnerability in CSS extension on certain web servers.Oct 18 2025, 1:20 PM
gerritbot added a comment.Oct 27 2025, 7:27 PM

Change #1199050 had a related patch set uploaded (by SomeRandomDeveloper; author: R4356thwiki):

[mediawiki/extensions/CSS@REL1_44] SECURITY: Normalise URL encodings to prevent path traversal

https://gerrit.wikimedia.org/r/1199050

gerritbot added a comment.Oct 27 2025, 7:27 PM

Change #1199051 had a related patch set uploaded (by SomeRandomDeveloper; author: R4356thwiki):

[mediawiki/extensions/CSS@REL1_43] SECURITY: Normalise URL encodings to prevent path traversal

https://gerrit.wikimedia.org/r/1199051

sbassett mentioned this in T404620: Write and send supplementary release announcement for extensions and skins with security patches (1.39.16/1.43.6/1.44.3/1.45.1).Oct 27 2025, 7:28 PM
gerritbot added a comment.Oct 27 2025, 7:29 PM

Change #1194575 merged by jenkins-bot:

[mediawiki/extensions/CSS@master] SECURITY: Normalise URL encodings to prevent path traversal

https://gerrit.wikimedia.org/r/1194575

gerritbot added a comment.Oct 27 2025, 7:33 PM

Change #1199053 had a related patch set uploaded (by SomeRandomDeveloper; author: R4356thwiki):

[mediawiki/extensions/CSS@REL1_39] SECURITY: Normalise URL encodings to prevent path traversal

https://gerrit.wikimedia.org/r/1199053

SomeRandomDeveloper added a comment.Oct 27 2025, 7:36 PM

I think T369486 hasn't been backported to REL1_39 (https://github.com/wikimedia/mediawiki-extensions-CSS/blob/2be2b32b0bca2af060eba394d9316b18deaeb662/CSS.class.php#L42-L51) so I'm probably gonna have to backport that first

SomeRandomDeveloper added a comment.Oct 27 2025, 7:44 PM
In T401526#11313517, @SomeRandomDeveloper wrote:

I think T369486 hasn't been backported to REL1_39 (https://github.com/wikimedia/mediawiki-extensions-CSS/blob/2be2b32b0bca2af060eba394d9316b18deaeb662/CSS.class.php#L42-L51) so I'm probably gonna have to backport that first

Done in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CSS/+/1199055/1 which https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CSS/+/1199053/3 depends on.

gerritbot added a comment.Oct 27 2025, 9:56 PM

Change #1199051 merged by jenkins-bot:

[mediawiki/extensions/CSS@REL1_43] SECURITY: Normalise URL encodings to prevent path traversal

https://gerrit.wikimedia.org/r/1199051

gerritbot added a comment.Oct 27 2025, 9:56 PM

Change #1199050 merged by jenkins-bot:

[mediawiki/extensions/CSS@REL1_44] SECURITY: Normalise URL encodings to prevent path traversal

https://gerrit.wikimedia.org/r/1199050

gerritbot added a comment.Oct 29 2025, 1:12 PM

Change #1199053 merged by jenkins-bot:

[mediawiki/extensions/CSS@REL1_39] SECURITY: Normalise URL encodings to prevent path traversal

https://gerrit.wikimedia.org/r/1199053

Redmin added a comment.Oct 31 2025, 12:47 PM

The patches have been merged so I think this can be closed once the Security Team adds this to the tracking task for the next supplemental release announcement.

SomeRandomDeveloper closed this task as Resolved.Oct 31 2025, 1:44 PM
sbassett added a comment.Nov 3 2025, 4:19 PM
In T401526#11331177, @Redmin wrote:

The patches have been merged so I think this can be closed once the Security Team adds this to the tracking task for the next supplemental release announcement.

Yes, this issue (and its patches) have been added in T404620, which is the supplemental security release that will come out towards the end of December 2025.

Redmin added a comment.Nov 6 2025, 4:56 AM
In T401526#11336430, @sbassett wrote:
In T401526#11331177, @Redmin wrote:

The patches have been merged so I think this can be closed once the Security Team adds this to the tracking task for the next supplemental release announcement.

Yes, this issue (and its patches) have been added in T404620, which is the supplemental security release that will come out towards the end of December 2025.

Great, thanks.

mmartorana renamed this task from Path Traversal vulnerability in CSS extension on certain web servers to CVE-2026-0669: Path Traversal vulnerability in CSS extension on certain web servers.Jan 7 2026, 5:47 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 9 2026, 2:49 PM
mmartorana changed the edit policy from "Custom Policy" to "All Users".
Maintenance_bot removed a project: Patch-For-Review.Jan 9 2026, 3:31 PM
Redmin mentioned this in T415379: Request to add Redmin to Security Team's Hall of Fame.Fri, Jan 23, 3:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits