Extension:DataTransfer affected by CVE-2025-54370
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Osnard
	Sep 22 2025, 3:58 PM

Description

Hi!

I just found Extension:DataTransfer to be affected by CVE-2025-54370

> composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | phpoffice/phpspreadsheet                                                         |
| Severity          | high                                                                             |
| CVE               | CVE-2025-54370                                                                   |
| Title             | PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML   |
|                   | document in the browser                                                          |
| URL               | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-p |
|                   | pxh                                                                              |
| Affected versions | <1.30.0|>=2.0.0,<2.1.0|>=2.1.0,<2.1.12|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=3.0.0,<3. |
|                   | 10.0|>=4.0.0,<5.0.0                                                              |
| Reported at       | 2025-08-03T01:06:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Will provide a patch.

Details

Risk Rating: Medium
Author Affiliation: Wikimedia Communities

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Bump dependency version	mediawiki/extensions/DataTransfer	REL1_43	+3 -1
Bump dependency version	mediawiki/extensions/DataTransfer	REL1_44	+1 -1
Bump dependency version	mediawiki/extensions/DataTransfer	master	+1 -1

Customize query in gerrit

Event Timeline

Osnard created this task.Sep 22 2025, 3:58 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 22 2025, 3:58 PM

Apparently, it is sufficient to bump the library version to a new minor. None of the interfaces used by the extension has changed.

See https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1190252

Reedy added projects: MediaWiki-extensions-DataTransfer, Vuln-VulnComponent, SecTeam-Processed.Sep 22 2025, 4:27 PM

Thanks for the report!

sbassett assigned this task to Osnard.Sep 22 2025, 7:56 PM

@sbassett Thanks for reviewing. The failing CI tests seem to be unrelated. Looks like a general incompatibility to a DB schema change in MediaWiki Core at master. Could we get this change cherry-picked and merged into REL1_43 as well?

Change #1190252 merged by jenkins-bot:

[mediawiki/extensions/DataTransfer@master] Bump dependency version

https://gerrit.wikimedia.org/r/1190252

Change #1194227 had a related patch set uploaded (by SBassett; author: Robert Vogel):

[mediawiki/extensions/DataTransfer@REL1_44] Bump dependency version

https://gerrit.wikimedia.org/r/1194227

Change #1194228 had a related patch set uploaded (by SBassett; author: Robert Vogel):

[mediawiki/extensions/DataTransfer@REL1_43] Bump dependency version

https://gerrit.wikimedia.org/r/1194228

In T405252#11248458, @Osnard wrote:

@sbassett Thanks for reviewing. The failing CI tests seem to be unrelated. Looks like a general incompatibility to a DB schema change in MediaWiki Core at master. Could we get this change cherry-picked and merged into REL1_43 as well?

Sure. I've picked the master patch to 1.44 and 1.43. 1.43 seems to have some version conflicts that git doesn't like, so those will need to be resolved.

Change #1194227 merged by jenkins-bot:

[mediawiki/extensions/DataTransfer@REL1_44] Bump dependency version

https://gerrit.wikimedia.org/r/1194227

Change #1194228 merged by jenkins-bot:

[mediawiki/extensions/DataTransfer@REL1_43] Bump dependency version

https://gerrit.wikimedia.org/r/1194228

sbassett closed this task as Resolved.Oct 8 2025, 4:00 PM

sbassett triaged this task as Medium priority.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.

sbassett removed a project: Patch-For-Review.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to Medium.

Extension:DataTransfer affected by CVE-2025-54370Closed, ResolvedPublicSecurityActions

Description

Details

Event Timeline

Extension:DataTransfer affected by CVE-2025-54370
Closed, ResolvedPublicSecurity
Actions