CVE-2025-62652

Vulnerability

CVE-2025-62652 is a stored cross-site scripting (XSS) vulnerability in the MediaWiki WebAuthn extension, affecting versions 1.39, 1.43, and 1.44. The root cause is improper neutralization of user input during the WebAuthn key registration process. When a user sets up a WebAuthn key, the name provided for the key is not sanitized, allowing arbitrary HTML and JavaScript to be stored and later executed [1].

Exploitation

To exploit this vulnerability, an attacker must have an account on the wiki that does not have two-factor authentication (2FA) enabled. During the WebAuthn key setup, the attacker enters a malicious payload (e.g., oops) as the key name. After completing the setup, the payload is stored and executed every time the victim visits the Special:AccountSecurity page, where the key name is displayed without propertly rendered without sanitization [1].

ImpactAn attacker can execute arbitrary

JavaScript in the context of the victim's session on the Special:AccountSecurity page. While the page normally disables user scripts, this XSS bypasses that restriction, potentially allowing the attacker to perform actions on behalf of the victim, such as modifying security settings or exfiltrating data. The attack requires user interaction during the key setup phase, but the stored payload triggers automatically on subsequent page loads [1].

MitigationThe vulnerability has been fixed in the MediaWiki WebAuthn extension. Users should update to the latest patched version. No workaround is available other than disabling the extension. The issue is publicly disclosed and tracked in the Wikimedia Phabricator as task T403093 [1].