Page MenuHomePhabricator
Create Task
Maniphest T404475

CVE-2025-62659: CookieConsent should use reserved data attributes to avoid potential XSS vectors
Closed, ResolvedPublicSecurity
Actions

Description

While this is likely not an immediate security issue (unless there is an extension, which I'm currently not aware of, that allows what I've described below), I've still decided to file a private security task to report it, since extension code that would normally be safe can turn into an XSS vulnerability.

When reviewing the CookieConsent extension for a planned deployment to the Miraheze wiki farm, I stumbled upon this code. It sets the src attribute of all iframes that have the data-cookieconsent attribute to the value of the data-src attribute. However, a lot of tag extensions pass attributes that are provided by the user via wikitext to the HTML elements they create. While most extension tag implementations use the Sanitizer::validateAttributes function to remove attributes that could potentially be used for XSS, most data attributes, including data-src and data-cookieconsent are allowed by it. If there is an extension that creates iframes and adds user-provided attributes to the output, it is therefore possible to perform XSS by setting data-src to e.g. javascript:alert(1).

To avoid this, reserved data-attributes should be used. Sanitizer::isReservedDataAttribute disallows all data attributes starting with data-mw-.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Use reserved data attributesmediawiki/extensions/CookieConsentmaster+5 -5
Customize query in gerrit

Related Objects

Event Timeline

SomeRandomDeveloper created this task.Sep 12 2025, 8:45 PM
Restricted Application added a project: affects-Miraheze. · View Herald TranscriptSep 12 2025, 8:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
SomeRandomDeveloper added a project: MediaWiki-extensions-CookieConsent.Sep 12 2025, 8:45 PM
SomeRandomDeveloper added subscribers: Xxmarijnw, gerritbot.

Added @Xxmarijnw as the extension maintainer.

Suggested patch:

T404475.patch2 KBDownload

SomeRandomDeveloper added a subscriber: Universal_Omega.Sep 12 2025, 8:48 PM
Xxmarijnw added a comment.Sep 12 2025, 8:54 PM

Thank you for your detailed report and the provided patch. I’ll check this out in detail coming Tuesday.

sbassett edited projects, added Vuln-XSS, SecTeam-Processed; removed Security-Team.Sep 15 2025, 4:47 PM
sbassett subscribed.
In T404475#11177697, @SomeRandomDeveloper wrote:

Added @Xxmarijnw as the extension maintainer.

Suggested patch:

T404475.patch2 KBDownload

Thanks for the report and patch. This should just go through gerrit for review. Once merged, we can track this within the current supplemental release.

gerritbot added a comment.Sep 16 2025, 10:02 AM

Change #1188735 had a related patch set uploaded (by Xxmarijnw; author: Xxmarijnw):

[mediawiki/extensions/CookieConsent@master] Use reserved data attributes

https://gerrit.wikimedia.org/r/1188735

gerritbot added a project: Patch-For-Review.Sep 16 2025, 10:02 AM
gerritbot added a comment.Sep 16 2025, 11:45 AM

Change #1188735 merged by jenkins-bot:

[mediawiki/extensions/CookieConsent@master] SECURITY: Use reserved data attributes

https://gerrit.wikimedia.org/r/1188735

Xxmarijnw closed this task as Resolved.Sep 16 2025, 11:45 AM
Xxmarijnw claimed this task.
SomeRandomDeveloper mentioned this in T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1).Sep 16 2025, 11:47 AM
sbassett removed a project: Patch-For-Review.Oct 20 2025, 8:05 PM
sbassett triaged this task as Medium priority.Oct 20 2025, 8:08 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
Restricted Application added a subscriber: Reception123. · View Herald TranscriptOct 20 2025, 8:08 PM
SomeRandomDeveloper renamed this task from CookieConsent should use reserved data attributes to avoid potential XSS vectors to CVE-2025-62659: CookieConsent should use reserved data attributes to avoid potential XSS vectors.Oct 22 2025, 7:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits