Maniphest T402095

CVE-2025-62663: Stored XSS through a system message in UploadWizard
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	SomeRandomDeveloper
	Aug 16 2025, 8:29 PM

Description

The mwe-upwiz-source-ownwork-origin-option-ai-description system message is inserted as raw HTML by the UploadWizard extension, allowing for stored XSS.

Reproduction steps

Make sure $wgUseXssLanguage is set to true
Make sure uploads are enabled and you're logged in
Go to /wiki/Special:UploadWizard?uselang=x-xss
Click the blue button
Click the blue upload button and select any file
Click the blue "Next" button in the bottom right

Cause

The result of mw.msg, which returns the unescaped contents of the message, is wrapped in an HtmlSnippet.
https://gerrit.wikimedia.org/g/mediawiki/extensions/UploadWizard/+/f86dd16bcb67ece9d838d4b5fffbb41a91ab069f/resources/deed/uw.deed.OwnWork.js#147

Additional information

MediaWiki: 1.45.0-alpha (4ad1e30)
Vector: a13cbaa
Upload Wizard: f86dd16

Details

Author Affiliation: Wikimedia Communities

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
SECURITY: Parse system message instead of inserting it as HTML	mediawiki/extensions/UploadWizard	REL1_43	+1 -1
SECURITY: Parse system message instead of inserting it as HTML	mediawiki/extensions/UploadWizard	REL1_44	+1 -1
SECURITY: Parse system message instead of inserting it as HTML	mediawiki/extensions/UploadWizard	master	+1 -1
SECURITY: Parse system message instead of inserting it as HTML	mediawiki/extensions/UploadWizard	REL1_39	+114 -0

Customize query in gerrit

Related Objects

Mentioned In: T407157: CVE-2026-0671: Multiple stored i18n/message-key XSSes in UploadWizard
T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1)
Mentioned Here: rSVECa13cbaa34fc5: Remove obsolete PHPDoc tags that literally repeat the code
rEUWIf86dd16bcb67: Localisation updates from https://translatewiki.net.
rMW4ad1e30eabe2: Use namespaced GlobalVarConfig in schemas and callbacks

Event Timeline

SomeRandomDeveloper created this task.Aug 16 2025, 8:29 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 16 2025, 8:29 PM

SomeRandomDeveloper claimed this task.Aug 16 2025, 8:30 PM

SomeRandomDeveloper added projects: UploadWizard, affects-Miraheze, Vuln-XSS.

Patch:

T402095.patch845 BDownload

The message only contains <b> tags (at least in the default translation), so parsing it should be fine

SomeRandomDeveloper mentioned this in T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1).Aug 16 2025, 8:36 PM

sbassett changed the task status from Open to In Progress.Aug 18 2025, 4:36 PM

sbassett reassigned this task from SomeRandomDeveloper to mmartorana.

sbassett triaged this task as Low priority.

sbassett moved this task from Incoming to In Progress on the Security-Team board.

sbassett added a project: SecTeam-Processed.

From a security perspective, this is safe to deploy.

sbassett moved this task from In Progress to Security Patch To Deploy on the Security-Team board.Aug 25 2025, 4:16 PM

The above patch was deployed during today's (2025-08-25) security window.

Reedy closed this task as Resolved.Sep 17 2025, 1:47 PM

Reedy added a subscriber: gerritbot.

Change #1189182 had a related patch set uploaded (by Reedy; author: nousername):

[mediawiki/extensions/UploadWizard@master] SECURITY: Parse system message instead of inserting it as HTML

https://gerrit.wikimedia.org/r/1189182

Change #1189182 merged by jenkins-bot:

[mediawiki/extensions/UploadWizard@master] SECURITY: Parse system message instead of inserting it as HTML

https://gerrit.wikimedia.org/r/1189182

Change #1189211 had a related patch set uploaded (by Reedy; author: nousername):

[mediawiki/extensions/UploadWizard@REL1_44] SECURITY: Parse system message instead of inserting it as HTML

https://gerrit.wikimedia.org/r/1189211

Change #1189215 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/extensions/UploadWizard@REL1_43] SECURITY: Parse system message instead of inserting it as HTML

https://gerrit.wikimedia.org/r/1189215

Change #1189216 had a related patch set uploaded (by SomeRandomDeveloper; author: SomeRandomDeveloper):

[mediawiki/extensions/UploadWizard@REL1_39] SECURITY: Parse system message instead of inserting it as HTML

https://gerrit.wikimedia.org/r/1189216

Change #1189216 abandoned by SomeRandomDeveloper:

[mediawiki/extensions/UploadWizard@REL1_39] SECURITY: Parse system message instead of inserting it as HTML

Reason:

The affected code and the system message don't exist in 1.39

https://gerrit.wikimedia.org/r/1189216

Change #1189211 merged by jenkins-bot:

[mediawiki/extensions/UploadWizard@REL1_44] SECURITY: Parse system message instead of inserting it as HTML

https://gerrit.wikimedia.org/r/1189211

Change #1189215 merged by jenkins-bot:

[mediawiki/extensions/UploadWizard@REL1_43] SECURITY: Parse system message instead of inserting it as HTML

https://gerrit.wikimedia.org/r/1189215

Mstyles renamed this task from Stored XSS through a system message in UploadWizard to CVE-2025-62663: Stored XSS through a system message in UploadWizard.Oct 18 2025, 5:00 AM

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".

Mstyles changed the edit policy from "Custom Policy" to "All Users".

(reassigning to patch author for posterity)

A_smart_kitten mentioned this in T407157: CVE-2026-0671: Multiple stored i18n/message-key XSSes in UploadWizard.Oct 18 2025, 11:55 AM

	F65762404: T402095.patch
	Aug 16 2025, 8:35 PM

CVE-2025-62663: Stored XSS through a system message in UploadWizardClosed, ResolvedPublicSecurityActions