CVE-2025-23081
Description
Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF and multiple XSS vulnerabilities in the MediaWiki DataTransfer extension allow attackers to forge requests and inject scripts.
Vulnerability
Overview
The DataTransfer extension for MediaWiki is affected by both Cross-Site Request Forgery (CSRF) and multiple Cross-Site Scripting (XSS) vulnerabilities [1][2]. These flaws stem from improper neutralization of input during web page generation and a lack of CSRF protections in import functionality [1]. A spontaneous security review identified approximately nine XSS issues and the ability to import pages while the user is blocked, in addition to the CSRF vector [2].
Exploitation
Conditions
An attacker can exploit the CSRF vulnerability by tricking an authenticated wiki user into performing unintended actions, such as importing malicious data [1][2]. The XSS issues allow injection of arbitrary script code into pages viewed by other users [1]. Exploitation does not require special network access; only a valid user session is needed for CSRF, and the XSS vectors rely on user interaction with crafted content.
Potential
Impact
Successful CSRF attacks can lead to unauthorized data import, potentially overwriting legitimate wiki content with attacker-controlled data [2]. The XSS vulnerabilities enable attackers to execute arbitrary JavaScript in the context of other users' sessions, which can result in session hijacking, defacement, or theft of sensitive information [1]. The combined attack surface increases the risk for wikis running affected versions.
Mitigation
Status
The vulnerabilities affect DataTransfer extension versions from 1.39.X before 1.39.11, 1.41.X before 1.41.3, and 1.42.X before 1.42.2 [1]. Patches have been proposed and the issue is tracked in the Wikimedia Phabricator [2]. Administrators should update to the latest patched version of the extension immediately. The extension is not hosted in Wikimedia production, so individual wiki operators must apply the fix [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/data-transferPackagist | >= 1.39.0, < 1.39.11 | 1.39.11 |
mediawiki/data-transferPackagist | >= 1.41.0, < 1.41.3 | 1.41.3 |
mediawiki/data-transferPackagist | >= 1.42.0, < 1.42.2 | 1.42.2 |
Affected products
1- Range: >= 1.42.0, < 1.42.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-c3h5-h73c-29hqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-23081ghsaADVISORY
- gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451nvdWEB
- gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931nvdWEB
- gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0nvdWEB
- gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3nvdWEB
- gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7nvdWEB
- gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9nvdWEB
- phabricator.wikimedia.org/T379749nvdWEB
News mentions
0No linked articles in our index yet.