CVE-2025-62670
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_wikimedia_foundation | mediawiki | 1.45.0-alpha |
| the_wikimedia_foundation | flexdiagrams | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62670 is a stored Cross-Site Scripting (XSS) vulnerability in the FlexDiagrams extension of MediaWiki. It occurs because a system message called "flexdiagrams-drawio-saveinfo" is inserted into web pages as HTML without proper sanitization. This allows an attacker to store malicious scripts that execute when the message is rendered, potentially compromising users who view the affected pages. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of the affected website. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacing content, or spreading malware to users who visit the compromised pages. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the stored XSS attack vector. Specifically, create a Drawio diagram page in the MediaWiki FlexDiagrams extension and access the URL pattern `/w/index.php?title=Drawio:Test2&action=editdiagram&uselang=x-xss` (replacing "Drawio:Test2" with an existing diagram page). If the system message "flexdiagrams-drawio-saveinfo" is improperly sanitized and inserted as HTML, malicious scripts may execute. Monitoring HTTP responses for unsanitized HTML in this message or scanning for the presence of the vulnerable JavaScript code (in `ext.flexdiagrams.drawio.js` around line 116) can also help detect the issue. There are no specific command-line tools or commands provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch that removes the use of HtmlSnippet for inserting the "flexdiagrams-drawio-saveinfo" system message, ensuring that no unsafe HTML insertion occurs. This patch has been reviewed, merged, and marked as resolved by the security team. If patching is not immediately possible, restrict access to the affected functionality or disable the FlexDiagrams extension until the fix can be applied. [1]