Page MenuHomePhabricator
Create Task
Maniphest T406639

CVE-2025-67477: Stored XSS through a system message in Special:ApiSandbox
Closed, ResolvedPublicSecurity
Actions

Assigned To
SomeRandomDeveloper
Authored By
SomeRandomDeveloper
Oct 7 2025, 7:14 PM
Project Tags
Referenced Files
F66736797: T406639-REL1_43.patch
Oct 7 2025, 7:36 PM
F66736770: image.png
Oct 7 2025, 7:17 PM
F66736767: T406639.patch
Oct 7 2025, 7:16 PM
Subscribers
Aklapper
gerritbot
Mstyles
sbassett
SomeRandomDeveloper

Description

The word-separator system message is inserted as HTML at Special:ApiSandbox if certain actions are selected.

Reproduction steps

  1. Edit MediaWiki:Word-separator to <img src=x onerror=alert(1)>
  2. Go to /wiki/Special:ApiSandbox#action=opensearch (all actions with a parameter using the limit type work, e.g. /wiki/Special:ApiSandbox#action=query&list=allimages)

image.png (443×184 px, 16 KB)

Cause

https://gerrit.wikimedia.org/g/mediawiki/core/+/e07d3c7a37fbc26d70562d153c1f7b0f5f07e044/resources/src/mediawiki.special.apisandbox/ApiSandboxLayout.js#99

Similar code is also present here, but while I tried various modules that had parameters marked as PARAM_ISMULTI => true, ppi.multi was never present in the API responses for me:
https://gerrit.wikimedia.org/g/mediawiki/core/+/e07d3c7a37fbc26d70562d153c1f7b0f5f07e044/resources/src/mediawiki.special.apisandbox/ApiSandboxLayout.js#144

Additional information

  • MediaWiki: 1.45.0-alpha

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Escape word-separator message in Special:ApiSandboxmediawiki/coremaster+2 -2
SECURITY: Escape word-separator message in Special:ApiSandboxmediawiki/coreREL1_44+2 -2
SECURITY: Escape word-separator message in Special:ApiSandboxmediawiki/coreREL1_45+2 -2
SECURITY: Escape word-separator message in Special:ApiSandboxmediawiki/coreREL1_43+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

SomeRandomDeveloper created this task.Oct 7 2025, 7:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 7 2025, 7:14 PM
SomeRandomDeveloper claimed this task.Oct 7 2025, 7:14 PM
SomeRandomDeveloper added projects: Vuln-XSS, affects-Miraheze.
SomeRandomDeveloper added a project: Patch-For-Review.

T406639.patch1 KBDownload

SomeRandomDeveloper added a project: MediaWiki-Action-API.Oct 7 2025, 7:17 PM
SomeRandomDeveloper updated the task description. (Show Details)
SomeRandomDeveloper added a comment.Oct 7 2025, 7:36 PM

This affects REL1_43, REL1_44 and master. While F66736767 (linked above) applies on REL1_44 and master, REL1_43 needs a separate patch as the affected code is in a different file:

T406639-REL1_43.patch1 KBDownload

Reedy added projects: MW-1.45-release, MW-1.44-release, MW-1.43-release.Oct 7 2025, 11:31 PM
sbassett changed the task status from Open to In Progress.EditedOct 8 2025, 3:14 PM
sbassett triaged this task as Low priority.
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
sbassett added a project: SecTeam-Processed.
sbassett subscribed.
In T406639#11251854, @SomeRandomDeveloper wrote:

T406639.patch1 KBDownload

CR+2, I think this can go out during next week's security deployment window.

Er, Monday is a US holiday. If someone non-US based would like to deploy this then, great, otherwise maybe we can target the following day or piggyback off of a backport window.

sbassett added a subscriber: Mstyles.Oct 20 2025, 4:51 PM

@Mstyles and/or I are planning to deploy this during today's (2025-10-20) Wikimedia security deployment window.

sbassett added a comment.Oct 20 2025, 9:11 PM

The above patch was deployed to 1.45.0-wmf.23.

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Oct 20 2025, 9:12 PM
sbassett removed a project: Patch-For-Review.
sbassett added a parent task: Restricted Task.
MSantos moved this task from Blocker to Not a blocker on the MW-1.45-release board.Oct 21 2025, 3:30 PM
Reedy closed this task as Resolved.Dec 8 2025, 2:31 PM
Reedy renamed this task from Stored XSS through a system message in Special:ApiSandbox to CVE-2025-67477: Stored XSS through a system message in Special:ApiSandbox.Dec 8 2025, 5:53 PM
Reedy added a subscriber: gerritbot.Dec 9 2025, 9:22 PM
gerritbot added a comment.Dec 10 2025, 10:35 PM

Change #1217295 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/core@REL1_43] SECURITY: Escape word-separator message in Special:ApiSandbox

https://gerrit.wikimedia.org/r/1217295

gerritbot added a project: Patch-For-Review.Dec 10 2025, 10:35 PM
gerritbot added a comment.Dec 10 2025, 10:54 PM

Change #1217306 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/core@REL1_44] SECURITY: Escape word-separator message in Special:ApiSandbox

https://gerrit.wikimedia.org/r/1217306

gerritbot added a comment.Dec 10 2025, 11:21 PM

Change #1217323 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/core@REL1_45] SECURITY: Escape word-separator message in Special:ApiSandbox

https://gerrit.wikimedia.org/r/1217323

gerritbot added a comment.Dec 10 2025, 11:32 PM

Change #1217332 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/core@master] SECURITY: Escape word-separator message in Special:ApiSandbox

https://gerrit.wikimedia.org/r/1217332

gerritbot added a comment.Dec 10 2025, 11:34 PM

Change #1217295 merged by jenkins-bot:

[mediawiki/core@REL1_43] SECURITY: Escape word-separator message in Special:ApiSandbox

https://gerrit.wikimedia.org/r/1217295

gerritbot added a comment.Dec 10 2025, 11:39 PM

Change #1217306 merged by jenkins-bot:

[mediawiki/core@REL1_44] SECURITY: Escape word-separator message in Special:ApiSandbox

https://gerrit.wikimedia.org/r/1217306

gerritbot added a comment.Dec 10 2025, 11:49 PM

Change #1217323 merged by jenkins-bot:

[mediawiki/core@REL1_45] SECURITY: Escape word-separator message in Special:ApiSandbox

https://gerrit.wikimedia.org/r/1217323

gerritbot added a comment.Dec 11 2025, 12:34 AM

Change #1217332 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Escape word-separator message in Special:ApiSandbox

https://gerrit.wikimedia.org/r/1217332

SomeRandomDeveloper added a comment.Apr 5 2026, 11:26 PM

Could this be made public?

sbassett removed a project: Patch-For-Review.Apr 6 2026, 2:09 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Maintenance_bot added a project: MW-Interfaces-Team.Apr 6 2026, 2:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits