CVE-2025-32073

Vulnerability

Overview CVE-2025-32073 is an improper input validation vulnerability in The Wikimedia Foundation's MediaWiki HTML Tags extension, affecting versions 1.39 through 1.43. The issue arises because the extension returns the literal contents of the system message "htmltags-notagname" without proper sanitization, and the return value of the tag function is interpreted as raw HTML [1]. This allows an attacker to inject arbitrary HTML or JavaScript.

Exploitation

An attacker can exploit this vulnerability by supplying a crafted input that triggers the display of the unsanitized system message. The attack can be performed with low privileges (attacker requires some level of access to the wiki). The vulnerability is classified as XSS, which typically requires user interaction (e.g., clicking a crafted link) to be exploited. No authentication is needed beyond the basic user privileges required to interact with the extension's functionality [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to account takeover, data theft, or defacement of the wiki. The CVSS v3 score is 5.4 (Medium), reflecting the need for user interaction and the potential for significant impact on confidentiality and integrity [1].

Mitigation

The vulnerability has been patched by the MediaWiki development team. Users should update to a fixed version of the HTML Tags extension. The fix was implemented in Gerrit changesets and is part of the security release announcements for MediaWiki 1.39.12, 1.42.6, and 1.43.1 [1]. No known workarounds are documented; applying patches is recommended.