CVE-2025-59332
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dolfinus | 3dalloy | 1.2 |
| dolfinus | 3dalloy | 1.0 |
| dolfinus | 3dalloy | 1.9 |
| dolfinus | 3dalloy | 1.8 |
| dolfinus | 3dalloy | 1.3 |
| dolfinus | 3dalloy | 1.5 |
| dolfinus | 3dalloy | 1.6 |
| dolfinus | 3dalloy | 1.7 |
| dolfinus | 3dalloy | 1.1 |
| dolfinus | 3dalloy | 1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59332 is a high-severity stored Cross-Site Scripting (XSS) vulnerability in the 3DAlloy extension for MediaWiki (versions 1.0 through 1.8). It occurs because user-supplied attributes passed to the <3d> parser tag and the {{#3d}} parser function are not properly sanitized before being appended to the HTML <canvas> element. This allows attackers to inject and execute arbitrary JavaScript code within the context of the affected MediaWiki site, for example by adding event handlers like onmouseenter=alert(1). [1]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary JavaScript execution in the user's browser, which may result in privilege escalation, denial of service (DoS), or information leaks. Because the attack requires no privileges or user interaction and can be exploited remotely, it poses a significant security risk to users and administrators of affected MediaWiki installations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for usage of the vulnerable <3d> parser tag or the {{#3d}} parser function in your MediaWiki pages that include unsanitized custom attributes. Specifically, you can look for pages containing <3d> tags or {{#3d}} functions with suspicious event handler attributes like onmouseenter or other JavaScript event handlers. For example, you can run a search command on your MediaWiki database or exported pages for patterns like '<3d onmouseenter=' or '{{#3d:' with event attributes. Additionally, monitoring HTTP responses for injected JavaScript in the canvas element attributes can help detect exploitation attempts. Example grep commands on exported wiki content or backups: grep -r '<3d onmouseenter=' /path/to/wiki/pages or grep -r '{{#3d:.*onmouseenter=' /path/to/wiki/pages. Also, inspecting rendered pages in a browser's developer tools for unexpected event handlers on canvas elements generated by 3DAlloy can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the 3DAlloy extension to version 1.9 or later, where the vulnerability is patched by sanitizing user-supplied attributes. If upgrading is not immediately possible, you should restrict or disable the use of the <3d> parser tag and {{#3d}} parser function to trusted users only, or apply input validation to disallow event handler attributes such as onmouseenter. Applying the patch from the commit that uses Sanitizer::validateAttributes to whitelist only safe attributes ('file', 'width', 'height', 'color', 'opacity', 'zoom', 'pan', 'norotate', 'scale', 'z', 'style', 'class') will prevent injection of malicious JavaScript. Additionally, review and sanitize any existing wiki pages that use these tags with unsafe attributes. [1, 2]