CVE-2025-32071

The vulnerability CVE-2025-32071 is a cross-site scripting (XSS) issue in the Wikibase extension for MediaWiki, specifically in the CommonsInlineImageFormatter component. The root cause is an improper input validation vulnerability in the ImageHandler::getDimensionsString() function, which fails to sanitize the widthheight message. This allows an attacker to inject arbitrary HTML and JavaScript into the output rendered to users.

Exploitation

An attacker can exploit this weakness by crafting a malicious widthheight message parameter. The attack does not require elevated privileges, but it does rely on the ability to influence the message content processed by Wikibase. When MediaWiki renders an inline image from Commons, the unsanitized message is included in the page output, leading to script execution in the context of the victim's browser.

Impact

Successful exploitation enables arbitrary client-side code execution. An attacker could steal session cookies, redirect users to malicious sites, deface pages, or perform other actions impersonating the targeted user. The vulnerability affects all deployments of the Wikibase extension running MediaWiki versions from 1.39 through 1.43.

Mitigation

The issue was fixed in a patched version of the extension, resolved in the Wikimedia Phabricator report [1]. Administrators are strongly advised to update the Wikibase extension to the latest available version that includes the security fix. No workarounds have been published; upgrading to the patched release is the only effective mitigation.