Arbitrary JavaScript Execution in 3DAlloy for MediaWiki
CVE-2025-59332

8.6HIGH

Key Information:

Vendor: Dolfinus
Status: 3dalloy
Vendor: CVE Published:; 15 September 2025

What is CVE-2025-59332?

3DAlloy, a lightweight 3D-viewer extension for MediaWiki, allows users to input custom attributes via the <3d> parser tag and the {{#3d}} parser function. However, versions 1.0 to 1.8 fail to properly sanitize these attributes, permitting the insertion and execution of arbitrary JavaScript code. This vulnerability poses significant risks to users of the affected versions as it enables potential exploits leading to unauthorized access and manipulation of the MediaWiki environment.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

3DAlloy >= 1.0, <= 1.8

References

https://github.com/dolfinus/3DAlloy/security/advisories/G...

x_refsource_CONFIRM

https://github.com/dolfinus/3DAlloy/commit/9fac7936254886...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 15, 2025
Vulnerability Reserved
Sep 12, 2025

JSON

Dolfinus