CVE-2025-32067
📋 TL;DR
This CVE describes an improper input validation vulnerability in the Mediawiki Growth Experiments extension that allows cross-site scripting (XSS) attacks. Attackers can inject malicious scripts that execute in users' browsers when they interact with vulnerable pages. This affects Mediawiki installations running the Growth Experiments extension versions 1.39 through 1.43.
💻 Affected Systems
- Mediawiki Growth Experiments Extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal session cookies, perform actions as authenticated users, deface pages, or redirect users to malicious sites, potentially compromising user accounts and sensitive data.
Likely Case
Attackers inject malicious JavaScript that steals session cookies or performs limited actions in the context of logged-in users who visit compromised pages.
If Mitigated
With proper Content Security Policy (CSP) headers and input sanitization, the impact is reduced to limited script execution or blocked entirely.
🎯 Exploit Status
Exploitation requires the attacker to have some level of access to inject malicious input, but the technical complexity of XSS exploitation is low once input vectors are identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.44 or later
Vendor Advisory: https://phabricator.wikimedia.org/T386963
Restart Required: No
Instructions:
1. Update the Growth Experiments extension to version 1.44 or later. 2. For Mediawiki 1.39-1.43: Apply the patch from gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1122163. 3. Clear caches after updating.
🔧 Temporary Workarounds
Disable Growth Experiments Extension
allTemporarily disable the vulnerable extension until patching is possible
Edit LocalSettings.php and remove or comment out: wfLoadExtension('GrowthExperiments');
Implement Content Security Policy
allAdd CSP headers to mitigate XSS impact
Add to web server config or Mediawiki LocalSettings.php: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';"
Adjust directives based on your specific needs
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-controllable inputs in the Growth Experiments extension
- Deploy a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check the Growth Experiments extension version in Mediawiki's Special:Version page or examine the extension's version fileCheck Version:
grep -r 'version' /path/to/mediawiki/extensions/GrowthExperiments/extension.json | grep -o '[0-9]\+\.[0-9]\+'Verify Fix Applied:
Verify the extension version is 1.44 or later, or that the specific patch from gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1122163 has been applied📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in request logs
- Suspicious input patterns in Growth Experiments-related endpoints
- Unexpected script tags or event handlers in user-generated content
Network Indicators:
- External script loads from unexpected domains in page responses
- Suspicious redirects from Mediawiki pages
SIEM Query:
source="*access.log*" AND ("GrowthExperiments" OR "Special:GrowthExperiments") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")