CVE-2025-62665

Vulnerability

CVE-2025-62665 is a stored cross-site scripting (XSS) vulnerability in the Wikimedia Foundation's MediaWiki extension Skin:BlueSky. The issue stems from improper neutralization of user input during web page generation, specifically within system messages. This allows an attacker to inject arbitrary JavaScript or HTML that is stored and executed when other users view affected pages [1].

Exploitation

To exploit this vulnerability, an attacker needs the ability to modify system messages, which typically requires administrator-level privileges on the MediaWiki instance. However, the impact is limited to users who have permission to edit these messages. The stored XSS payload can be triggered when any user visits a page that renders the compromised system message, such as common interface elements or error pages [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, defacement, or unauthorized actions performed on behalf of the victim. Since the script executes in the context of the MediaWiki session, it may access sensitive data or perform actions without the user's consent [1].

Mitigation

The vulnerability affects Skin:BlueSky versions from master before 1.39. Users are advised to update to version 1.39 or later, where the issue is patched. Administrators who cannot immediately upgrade should restrict access to system message editing to trusted users only [1].