CVE-2025-61638 Overview
CVE-2025-61638 is a Cross-Site Scripting (XSS) vulnerability affecting Wikimedia Foundation's MediaWiki and Parsoid components. The vulnerability stems from improper neutralization of input during web page generation, allowing attackers to potentially inject malicious scripts into web pages rendered by affected MediaWiki installations.
The vulnerability is associated with the Sanitizer component in both MediaWiki (includes/parser/Sanitizer.php) and Parsoid (src/Core/Sanitizer.php), which are responsible for sanitizing user-supplied content before rendering.
Critical Impact
This XSS vulnerability could allow authenticated attackers to inject malicious scripts that execute in the context of other users' browsers when viewing affected wiki pages, potentially leading to session hijacking, data theft, or unauthorized actions.
Affected Products
- MediaWiki versions before 1.39.14, 1.43.4, and 1.44.1
- Parsoid versions before 0.16.6, 0.20.4, and 0.21.1
- Wikimedia Foundation MediaWiki installations using vulnerable Sanitizer components
Discovery Timeline
- 2026-02-03 - CVE CVE-2025-61638 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-61638
Vulnerability Analysis
This Cross-Site Scripting vulnerability exists within the Sanitizer component of both MediaWiki and Parsoid. The Sanitizer is a critical security component responsible for processing and sanitizing HTML content before it is rendered to users. When user-supplied input passes through the vulnerable Sanitizer.php files, certain malicious payloads may bypass the sanitization logic and be rendered as executable script content in victims' browsers.
The vulnerability requires user interaction and low privileges to exploit, indicating that an authenticated user with limited permissions could craft malicious wiki content that, when viewed by other users, executes arbitrary JavaScript in their browser context.
Root Cause
The root cause lies in insufficient input validation and sanitization within the Sanitizer.php files in both MediaWiki (includes/parser/Sanitizer.php) and Parsoid (src/Core/Sanitizer.php). The sanitization logic fails to properly neutralize certain input patterns that can be interpreted as executable script content by web browsers. This allows specially crafted input to bypass the intended security controls designed to prevent XSS attacks.
Attack Vector
The attack is network-based and requires the following conditions:
- Authentication Required: The attacker must have some level of authenticated access to the MediaWiki instance
- User Interaction: A victim user must view the page containing the malicious payload
- Content Injection: The attacker crafts wiki content that exploits the sanitization bypass
When successful, the injected script executes within the security context of the wiki application, potentially allowing the attacker to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites.
The vulnerability manifests in the Sanitizer component's parsing logic. Attackers can craft wiki markup or HTML that, when processed by the vulnerable Sanitizer, results in unsanitized script content being included in the rendered page output. For technical details, see the Wikimedia Task T401099.
Detection Methods for CVE-2025-61638
Indicators of Compromise
- Unusual or obfuscated JavaScript patterns in wiki page content or revision history
- Unexpected inline event handlers or script tags in wiki markup
- User reports of unexpected browser behavior when viewing specific wiki pages
- Suspicious wiki edits containing encoded or escaped characters that could represent script content
Detection Strategies
- Implement web application firewall (WAF) rules to detect common XSS payload patterns targeting MediaWiki
- Monitor wiki revision logs for suspicious content patterns, particularly in HTML attributes and event handlers
- Deploy browser-based XSS detection mechanisms such as Content Security Policy (CSP) violation reporting
- Review recent wiki edits for content matching known XSS evasion techniques
Monitoring Recommendations
- Enable and monitor MediaWiki's built-in logging for parser-related errors and warnings
- Configure Content Security Policy headers with report-uri to capture XSS attempt notifications
- Implement real-time alerting on wiki edits containing potential script injection patterns
- Monitor for unusual authentication patterns or session activity following page views
How to Mitigate CVE-2025-61638
Immediate Actions Required
- Upgrade MediaWiki to version 1.39.14, 1.43.4, or 1.44.1 (or later) depending on your release branch
- Upgrade Parsoid to version 0.16.6, 0.20.4, or 0.21.1 (or later) depending on your release branch
- Review recent wiki content changes for potentially malicious content that may have been injected
- Implement Content Security Policy headers to provide defense-in-depth against XSS attacks
Patch Information
Wikimedia Foundation has released patched versions addressing this vulnerability. Organizations should update to the following minimum versions:
| Component | Fixed Versions |
|---|---|
| MediaWiki | 1.39.14, 1.43.4, 1.44.1 |
| Parsoid | 0.16.6, 0.20.4, 0.21.1 |
For detailed patch information and release notes, refer to the Wikimedia Task T401099.
Workarounds
- Implement strict Content Security Policy (CSP) headers to restrict script execution sources
- Temporarily restrict wiki editing permissions to trusted users until patches can be applied
- Enable additional input validation at the web server or WAF level to filter potential XSS payloads
- Consider placing the wiki in read-only mode if immediate patching is not possible
# Example: Add Content Security Policy headers in Apache configuration
# Add to your MediaWiki virtual host configuration
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
