CVE-2025-53489
BaseFortify
Publication date: 2025-07-03
Last updated on: 2025-10-01
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jackphoenix | googledocs4mw | * |
| mediawiki | mediawiki | From 1.42.0 (inc) to 1.42.7 (exc) |
| mediawiki | mediawiki | From 1.43.0 (inc) to 1.43.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53489 is a low-risk Cross-Site Scripting (XSS) vulnerability in the GoogleDocs4MW extension for MediaWiki. It occurs because the extension improperly sanitizes the 'style' parameter by only using PHP's htmlspecialchars function, which does not adequately sanitize CSS content. This allows an attacker to inject malicious CSS, such as the url() function, into the style attribute. As a result, attackers can cause users' browsers to load external resources, potentially leaking user information like IP addresses. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious CSS into web pages generated by the GoogleDocs4MW extension. Specifically, attackers can embed external resource URLs in the style attribute, causing users' browsers to make requests to attacker-controlled servers. This can be exploited to leak sensitive information such as users' IP addresses, potentially compromising user privacy. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a malicious style attribute containing a CSS url() function into the GoogleDocs4MW extension input, for example by inserting the following code into the Special:ExpandTemplates page: `<googlespreadsheet width="600" height="200" style="width:50%; background-image: url(https://http.cat/200);">test</googlespreadsheet>`. Then, using browser developer tools or network monitoring tools, observe if a request is made to the external URL (https://http.cat/200). This indicates that the injected CSS was executed, confirming the vulnerability. Network monitoring commands or tools like `tcpdump`, `wireshark`, or browser developer network tabs can be used to detect such external requests. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the GoogleDocs4MW extension to a version that includes the patch which properly sanitizes the style parameter using MediaWiki's CSS sanitizer instead of just htmlspecialchars. If an update is not immediately possible, restrict or disable the use of the style attribute in the GoogleDocs4MW extension inputs to prevent injection of malicious CSS. Additionally, monitor and block suspicious outgoing requests triggered by injected CSS if possible. Applying the patch from the Gerrit changes (#1155269, #1155270, #1155271, #1155272) or upgrading MediaWiki and the extension to versions including these fixes is recommended. [1]