CVE-2025-62667
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_wikimedia_foundation | mediawiki | 1.45.0-alpha |
| the_wikimedia_foundation | mediawiki_growth_experiments_extension | 6806956 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62667 is a stored Cross-Site Scripting (XSS) vulnerability in the GrowthExperiments extension of MediaWiki. It occurs because article extracts containing unsanitized user-provided content are inserted directly into the web page's DOM as raw HTML without proper sanitization. This allows attackers to inject malicious scripts via specially crafted article extracts, which then execute in the context of users viewing the affected page. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the browsers of users who visit the affected MediaWiki pages. This can lead to theft of user credentials, session hijacking, defacement of web content, or distribution of malware. Essentially, it compromises the security and trustworthiness of the website and can negatively affect users' privacy and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the behavior of the GrowthExperiments extension on the MediaWiki Special:Homepage, specifically by checking if article extracts are inserted into the DOM as raw HTML without sanitization. One approach is to monitor HTTP requests to the Wikimedia REST API endpoint (e.g., https://en.wikipedia.org/api/rest_v1/page/summary/{title}) and analyze the 'extract' field for unsanitized HTML tags. Additionally, you can use browser developer tools to inspect the DOM elements on Special:Homepage to see if injected scripts or HTML tags are rendered. There are no specific commands provided, but manual inspection or automated scanning tools that detect stored XSS in web applications could be used. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the patch that changes the code to insert article extracts as plain text instead of raw HTML, preventing execution of injected scripts. If patching is not immediately possible, disabling the GrowthExperiments extension or the suggested edits feature on Special:Homepage can reduce exposure. Monitoring for updates and deploying the official fix, which has been merged and deployed to production by late August 2025, is recommended. [1]