Improper Input Validation in Mediawiki - Wikidata Extension by Wikimedia Foundation
CVE-2025-32071

10CRITICAL

Key Information:

Vendor: The Wikimedia Foundation
Status: Mediawiki - Wikidata Extension
Vendor: CVE Published:; 11 April 2025

Summary

The Wikimedia Foundation's Mediawiki - Wikidata Extension suffers from an improper input validation vulnerability that allows for Cross-Site Scripting (XSS) attacks. This security issue arises from inadequate handling of user input through the widthheight message in the ImageHandler::getDimensionsString() function. The flaw can be exploited in versions 1.39 to 1.43, facilitating the injection of malicious scripts. Users and administrators of affected versions are urged to apply the necessary patches to safeguard their applications.

Affected Version(s)

Mediawiki - Wikidata Extension 1.39 <= 1.43

References

https://phabricator.wikimedia.org/T389369

https://gerrit.wikimedia.org/r/q/Iac1f1c27054bfd1a4a42512...

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 11, 2025
Vulnerability Reserved
Apr 3, 2025

Credit

Lucas_Werkmeister_WMDE