Page MenuHomePhabricator
Create Task
Maniphest T402149

CVE-2025-62670: Stored XSS through a system message in FlexDiagrams
Closed, ResolvedPublicSecurity
Actions

Description

The flexdiagrams-drawio-saveinfo system message is inserted as HTML by the FlexDiagrams extension, allowing for stored XSS.

Reproduction steps

  1. Create a Drawio diagram
  2. Go to /w/index.php?title=Drawio:Test2&action=editdiagram&uselang=x-xss (make sure to adjust the name of the diagram page, as it has to exist for the vulnerability to work)

image.png (591×197 px, 20 KB)

Cause

The message is retrieved in the text output mode and inserted through an HtmlSnippet:
https://gerrit.wikimedia.org/g/mediawiki/extensions/FlexDiagrams/+/1ba4aff57096626b3ddb386d8c23c7c384613513/resources/ext.flexdiagrams.drawio.js#116

Additional info

Details

Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

SomeRandomDeveloper created this task.Aug 17 2025, 11:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2025, 11:09 PM
SomeRandomDeveloper claimed this task.Aug 17 2025, 11:09 PM
SomeRandomDeveloper added projects: MediaWiki-extensions-FlexDiagrams, Vuln-XSS, affects-Miraheze.
SomeRandomDeveloper added a subscriber: Yaron_Koren.Aug 17 2025, 11:12 PM

Patch:

T402149.patch1 KBDownload

flexdiagrams-drawio-saveinfo doesn't contain any HTML, and neither should $( '#wpSave' ).attr( 'value' ), so removing the HtmlSnippet should be fine.

SomeRandomDeveloper added a project: Patch-For-Review.Aug 17 2025, 11:13 PM
SomeRandomDeveloper mentioned this in T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1).
Yaron_Koren closed this task as Resolved.Aug 18 2025, 1:57 PM

@SomeRandomDeveloper - thank you for the diagnosis, and the patch. I checked in your patch here: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FlexDiagrams/+/1179692

sbassett removed a project: Patch-For-Review.Aug 18 2025, 2:02 PM
sbassett edited projects, added: SecTeam-Processed; removed: Security-Team.
sbassett added a subscriber: gerritbot.
SomeRandomDeveloper added a comment.Aug 18 2025, 2:04 PM

@Yaron_Koren thanks for merging the patch. Please make sure to use git am to apply my patch next time when uploading it. The commit message 'Simplify code for "Please save" notice for Drawio diagrams' is missing a "SECURITY:" prefix and does not sufficiently state that the commit contains a security fix.

SomeRandomDeveloper added a comment.Aug 18 2025, 2:06 PM

Also the message should have mentioned this task.

Mstyles renamed this task from Stored XSS through a system message in FlexDiagrams to CVE-2025-62670: Stored XSS through a system message in FlexDiagrams.Oct 18 2025, 5:03 AM
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits