CVE-2025-25287
Description
Lakeus is a simple skin made for MediaWiki. Starting in version 1.0.8 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with (editinterface) rights can edit system messages that are improperly handled in order to send raw HTML. In the case of lakeus-footermessage, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in the Lakeus MediaWiki skin allows attackers with high privileges to inject malicious HTML via unsanitized system messages, affecting users when certain conditions are met.
Vulnerability
Overview
CVE-2025-25287 is a stored cross-site scripting (XSS) issue in the Lakeus skin for MediaWiki, affecting versions 1.0.8 through before 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 [1]. The root cause is that system messages, such as lakeus-footermessage and those used in themeDesigner.js, are rendered without proper escaping, allowing an attacker with (editinterface) rights to inject raw HTML [2][4].
Attack
Surface and Exploitation
Exploitation requires high privileges, specifically the editinterface permission, which is typically granted only to trusted users like administrators [1][4]. The attacker modifies an affected system message (e.g., lakeus-footermessage) to contain an XSS payload. In the case of lakeus-footermessage, this payload is served to all users if the server is configured to link back to the Lakeus repository. For messages used by themeDesigner.js, the attack only affects users who have enabled the theme designer in their preferences [2][4].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other users' browsers. This could lead to session hijacking, defacement, or further malicious actions within the MediaWiki instance. The impact is limited to users who are either accustomed to a specific server configuration or actively use the custom styling feature [1][4].
Mitigation
The vulnerability has been patched in versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0. Administrators are advised to update Lakeus to one of these patched releases. The fix ensures that system messages are properly escaped using methods such as .escaped() instead of raw message output [1][3]. There is no known workaround, and the vendor recommends upgrading [4].
- Fix stored XSSes via system messages · lakejason0/mediawiki-skins-Lakeus@fb79928
- mediawiki-skins-Lakeus/resources/themeDesigner.js at 82ad2cd341f85b814a6a0f37969e6210ebf2521d · lakejason0/mediawiki-skins-Lakeus
- mediawiki-skins-Lakeus/includes/SkinLakeus.php at 82ad2cd341f85b814a6a0f37969e6210ebf2521d · lakejason0/mediawiki-skins-Lakeus
- Stored XSS via system messages
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 1.0.15, v1.0.0, v1.0.1, …
- Range: >=1.0.8, <1.4.0
Patches
1fb79928f06efVulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/includes/SkinLakeus.phpnvd
- github.com/lakejason0/mediawiki-skins-Lakeus/blob/82ad2cd341f85b814a6a0f37969e6210ebf2521d/resources/themeDesigner.jsnvd
- github.com/lakejason0/mediawiki-skins-Lakeus/commit/fb79928f06efa47677fff27e0f4755eb32b1c8d9nvd
- github.com/lakejason0/mediawiki-skins-Lakeus/security/advisories/GHSA-mq77-3q68-v64vnvd
News mentions
0No linked articles in our index yet.