CVE-2025-59332
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-09-16

Assigner: GitHub, Inc.

Description
3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not sanitized, which means that arbitrary JavaScript can be inserted and executed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-09-16
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59332
EUVD
EUVD-2025-29237
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
dolfinus 3dalloy 1.2
dolfinus 3dalloy 1.0
dolfinus 3dalloy 1.9
dolfinus 3dalloy 1.8
dolfinus 3dalloy 1.3
dolfinus 3dalloy 1.5
dolfinus 3dalloy 1.6
dolfinus 3dalloy 1.7
dolfinus 3dalloy 1.1
dolfinus 3dalloy 1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59332 is a high-severity stored Cross-Site Scripting (XSS) vulnerability in the 3DAlloy extension for MediaWiki (versions 1.0 through 1.8). It occurs because user-supplied attributes passed to the <3d> parser tag and the {{#3d}} parser function are not properly sanitized before being appended to the HTML <canvas> element. This allows attackers to inject and execute arbitrary JavaScript code within the context of the affected MediaWiki site, for example by adding event handlers like onmouseenter=alert(1). [1]

Impact Analysis

This vulnerability can lead to arbitrary JavaScript execution in the user's browser, which may result in privilege escalation, denial of service (DoS), or information leaks. Because the attack requires no privileges or user interaction and can be exploited remotely, it poses a significant security risk to users and administrators of affected MediaWiki installations. [1]

Detection Guidance

This vulnerability can be detected by searching for usage of the vulnerable <3d> parser tag or the {{#3d}} parser function in your MediaWiki pages that include unsanitized custom attributes. Specifically, you can look for pages containing <3d> tags or {{#3d}} functions with suspicious event handler attributes like onmouseenter or other JavaScript event handlers. For example, you can run a search command on your MediaWiki database or exported pages for patterns like '<3d onmouseenter=' or '{{#3d:' with event attributes. Additionally, monitoring HTTP responses for injected JavaScript in the canvas element attributes can help detect exploitation attempts. Example grep commands on exported wiki content or backups: grep -r '<3d onmouseenter=' /path/to/wiki/pages or grep -r '{{#3d:.*onmouseenter=' /path/to/wiki/pages. Also, inspecting rendered pages in a browser's developer tools for unexpected event handlers on canvas elements generated by 3DAlloy can help detect the vulnerability. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the 3DAlloy extension to version 1.9 or later, where the vulnerability is patched by sanitizing user-supplied attributes. If upgrading is not immediately possible, you should restrict or disable the use of the <3d> parser tag and {{#3d}} parser function to trusted users only, or apply input validation to disallow event handler attributes such as onmouseenter. Applying the patch from the commit that uses Sanitizer::validateAttributes to whitelist only safe attributes ('file', 'width', 'height', 'color', 'opacity', 'zoom', 'pan', 'norotate', 'scale', 'z', 'style', 'class') will prevent injection of malicious JavaScript. Additionally, review and sanitize any existing wiki pages that use these tags with unsafe attributes. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59332. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart