CVE-2025-62663
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_wikimedia_foundation | mediawiki_uploadwizard_extension | * |
| the_wikimedia_foundation | mediawiki | 1.45.0-alpha |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62663 is a stored Cross-Site Scripting (XSS) vulnerability in the UploadWizard extension of MediaWiki. It occurs because a system message is inserted as raw HTML without proper escaping, allowing malicious scripts to be stored and executed. Specifically, the mw.msg function returns unescaped message content that is wrapped in an HtmlSnippet, enabling attackers to inject harmful scripts that run when the page is viewed. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of users viewing the affected pages. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware. Since it is a stored XSS, the malicious code persists on the server and affects all users who access the vulnerable page or feature. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the stored XSS condition in the UploadWizard extension. Specifically, ensure the configuration variable $wgUseXssLanguage is set to true, uploads are enabled, and the user is logged in. Then navigate to /wiki/Special:UploadWizard?uselang=x-xss, click the blue upload button, select any file, and proceed through the wizard. Observing if malicious scripts execute indicates the presence of the vulnerability. There are no specific network commands provided, but testing the UploadWizard interface with crafted inputs as described can reveal the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the patch that changes the code to parse system message content instead of inserting it as raw HTML. This fix prevents execution of malicious scripts by safely handling system messages. The patch was deployed during the security window on August 25, 2025, and is included in MediaWiki version 1.45.0-alpha and relevant UploadWizard extension branches. Until the patch is applied, consider disabling the UploadWizard extension or restricting access to logged-in users with trusted roles to reduce risk. [1]