CVE-2020-25828
Description
An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki before 1.31.10 and 1.34.4 allows XSS via mw.message().parse() when jqueryMsg is not loaded, due to missing HTML escaping of parameters.
Root
Cause
The vulnerability resides in the non-jqueryMsg version of mw.message().parse(), which fails to escape HTML in message parameters. While jqueryMsg correctly strips dangerous tags and escapes parameters, the fallback parser does not [2][4].
Exploitation
An attacker can inject arbitrary HTML or JavaScript by crafting message parameters that are rendered without escaping. This is exploitable when jqueryMsg is not loaded, such as on the Special:SpecialPages page on a wiki with no extensions installed [2]. The attack does not require authentication on pages that process user-supplied parameters.
Impact
Successful exploitation leads to cross-site scripting (XSS) within the MediaWiki context, allowing an attacker to execute scripts, steal sessions, or deface pages [2].
Mitigation
The issue is fixed in MediaWiki 1.31.10 and 1.34.4. Administrators should upgrade to these versions immediately. As noted in the release announcement, this fix is tracked as T115888 [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.31.0, < 1.31.9 | 1.31.9 |
mediawiki/corePackagist | >= 1.32.0, < 1.34.3 | 1.34.3 |
mediawiki/corePackagist | >= 1.35.0-rc.0, < 1.35.0 | 1.35.0 |
Affected products
2- osv-coords2 versions
>= 1.31.10, < 1.31.11+ 1 more
- (no CPE)range: >= 1.31.10, < 1.31.11
- (no CPE)range: >= 1.31.0, < 1.31.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-h8qx-mj6v-2934ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-25828ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-25828.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6ghsaWEB
- lists.wikimedia.org/pipermail/mediawiki-announceghsax_refsource_MISCWEB
- lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.htmlghsax_refsource_CONFIRMWEB
- lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.htmlghsax_refsource_MISCWEB
- phabricator.wikimedia.org/T115888ghsaWEB
News mentions
0No linked articles in our index yet.