CVE-2025-53369
BaseFortify
Publication date: 2025-07-03
Last updated on: 2025-07-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53369 is a stored Cross-Site Scripting (XSS) vulnerability in the MediaWiki ShortDescription extension. It occurs because short descriptions provided by users are not properly sanitized before being inserted as raw HTML into the page subtitle using the function mw.util.addSubtitle. This allows any user to inject arbitrary HTML or JavaScript code into the page, which can then execute in the browsers of users viewing the page. The root cause is that the sanitization process decodes HTML entities after stripping tags, allowing malicious code to be reintroduced. The vulnerability was fixed by escaping the short description content before insertion, preventing script injection. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker to inject arbitrary HTML and JavaScript code into the MediaWiki pages that use the ShortDescription extension. Because the injected code executes in the browsers of users viewing the affected pages, it can lead to security breaches such as theft of user credentials, session hijacking, defacement, or distribution of malware. The vulnerability has a high severity with a CVSS v3 base score of 8.6, requires no privileges or user interaction to exploit, and can be triggered remotely over the network. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your MediaWiki installation is running the ShortDescription extension version 4.0.0 or an unpatched version where the short descriptions are not properly sanitized before being inserted as HTML. A practical detection method is to create or inspect pages using the {{SHORTDESC:}} parser function with potentially malicious HTML content, such as an image tag with an onerror JavaScript event, and then observe if the script executes when viewing the page. For example, you can create a page with the wikitext: {{SHORTDESC:<img src="" onerror="alert('shortdescription xss')">}} and visit the page to see if an alert pops up, indicating the vulnerability. There are no specific network commands provided, but manual testing via page edits and viewing is effective. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the MediaWiki ShortDescription extension to version 4.0.1 or later, where the vulnerability has been patched. The patch involves escaping the short description content before inserting it into the DOM by changing the code to use mw.html.escape() on the short description before passing it to mw.util.addSubtitle(). If upgrading is not immediately possible, avoid enabling or using the ShortDescription feature ($wgShortDescriptionEnableTagline) or restrict editing permissions to trusted users to reduce the risk of malicious input. [1, 2]