Executive Summary

CVE-2025-61638 is a high-risk cross-site scripting (XSS) vulnerability in MediaWiki's Sanitizer component. It occurs because attributes starting with 'data-' bypass proper sanitization due to insufficient validation of allowed characters in attribute names. Malicious actors can inject crafted attribute names like 'data-/onclick=alert("XSS")' that execute JavaScript code. The root cause is improper parsing and validation of attribute names, especially in transclusion named arguments, which assume all valid argument names are valid HTML attribute names. The vulnerability allows injection of executable code via malformed attribute names, leading to XSS attacks. The issue was fixed by tightening the regular expression used to validate attribute names, disallowing problematic characters such as spaces, slashes, angle brackets, null bytes, colons, and equal signs in 'data-' attributes. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to inject malicious JavaScript code into web pages generated by MediaWiki, leading to cross-site scripting (XSS) attacks. Such attacks can result in unauthorized actions performed on behalf of users, theft of user credentials or session tokens, defacement of content, or distribution of malware. Essentially, it compromises the security and integrity of the affected MediaWiki sites and can harm users interacting with those sites. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing for injection of malicious payloads in MediaWiki transclusion arguments that use data- attributes. For example, attempting to inject payloads like `{{#tag:pre|data-/onclick=alert("XSS")}}` in the wiki content or preview can reveal if the sanitization bypass exists. There are no specific network commands provided, but manual or automated testing of MediaWiki pages with crafted transclusion arguments containing malformed data- attributes can help detect the vulnerability. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the security patches provided by the Wikimedia Foundation that update the regular expression used in Sanitizer.php to properly validate data- attribute names, disallowing problematic characters such as spaces, slashes, angle brackets, equal signs, colons, and null bytes. Updating MediaWiki core and Parsoid to versions including these patches (MediaWiki versions 1.39.14, 1.43.4, 1.44.1 or later; Parsoid versions 0.16.6, 0.20.4, 0.21.1 or later) will mitigate the vulnerability. Until patches are applied, avoid allowing untrusted users to create or edit content with transclusion arguments that could include crafted data- attributes. [1]

Useful 0 Not Useful 0

Compliance Impact

[{'type': 'paragraph', 'content': "This vulnerability is a high-risk cross-site scripting (XSS) issue in MediaWiki's Sanitizer component that allows injection of malicious code via crafted HTML attribute names. Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or execution of malicious scripts in users' browsers."}, {'type': 'paragraph', 'content': 'While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.'}, {'type': 'paragraph', 'content': 'Organizations using affected versions of MediaWiki or Parsoid without applying the patch may face increased risk of data breaches or unauthorized data exposure, potentially impacting compliance with privacy and security requirements mandated by regulations such as GDPR and HIPAA.'}] [1]

Useful 0 Not Useful 0