CVE-2025-53497
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-07-08
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53497 is a stored Cross-Site Scripting (XSS) vulnerability in the MediaWiki RelatedArticles extension. It occurs because the extension inserts article descriptions from various sources directly into the web page's DOM using innerHTML without properly escaping the content. This allows attackers to inject arbitrary HTML and JavaScript code, such as malicious image tags with event handlers, which can execute in users' browsers when they view the RelatedArticles page menu. The vulnerability affects multiple description sources including TextExtracts, Wikibase/Wikidata, and Description2, and was introduced after a refactor that changed how descriptions are rendered. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your MediaWiki site when users view related articles. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the user. Since the injected scripts are stored in the descriptions, the attack persists and affects all users who access the vulnerable RelatedArticles feature. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the RelatedArticles extension improperly renders unescaped HTML/JavaScript in article descriptions. A practical detection method is to create or identify a page with a description containing a payload such as <img src="" onerror="alert(1)"> and then referencing it via the {{#related:}} parser function or linking a Wikidata item with a malicious description. If an alert or script execution occurs when viewing the RelatedArticles page menu, the vulnerability is present. There are no specific network commands provided, but manual testing via the MediaWiki interface with crafted descriptions is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the security patches that escape all user-controllable fields before insertion into the DOM. Specifically, ensure that the RelatedArticles extension uses mw.html.escape() on card titles, descriptions, URLs, and thumbnail URLs to prevent injection. If patches are not yet applied, avoid using untrusted description sources or disable the RelatedArticles extension until patched. Additionally, review configuration settings such as $wgRelatedArticlesDescriptionSource and consider setting it to a safer option or disabling description rendering temporarily. [1]