CVE-2025-59332
📋 TL;DR
3DAlloy MediaWiki extension versions 1.0 through 1.8 contain a cross-site scripting (XSS) vulnerability in the <3d> parser tag and {{#3d}} parser function. Attackers can inject arbitrary JavaScript through unsanitized custom attributes, which executes when users view affected pages. All MediaWiki installations using vulnerable 3DAlloy versions are affected.
💻 Affected Systems
- 3DAlloy MediaWiki Extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data theft, or malware distribution through persistent XSS affecting all users viewing 3D content
Likely Case
Session hijacking, credential theft, or defacement of pages containing 3D content
If Mitigated
Limited impact if input validation blocks malicious attributes or Content Security Policy prevents script execution
🎯 Exploit Status
XSS exploitation is well-understood; advisory includes example payload
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9
Vendor Advisory: https://github.com/dolfinus/3DAlloy/security/advisories/GHSA-f2rp-232x-mqrh
Restart Required: No
Instructions:
1. Update 3DAlloy extension to version 1.9 via MediaWiki extension manager or manual installation. 2. Clear parser cache if needed.
🔧 Temporary Workarounds
Disable 3DAlloy Extension
allTemporarily disable the vulnerable extension until patching
Remove or comment out wfLoadExtension('3DAlloy'); from LocalSettings.php
Input Validation Filter
allAdd custom validation to block suspicious attributes in 3D tags
Implement MediaWiki hook to sanitize $wg3DAlloyAttributes before rendering
🧯 If You Can't Patch
- Restrict edit permissions for <3d> and {{#3d}} tags to trusted users only
- Implement strict Content Security Policy to block inline JavaScript execution
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki's extensions/3DAlloy/extension.json for version numberCheck Version:
grep -i version extensions/3DAlloy/extension.jsonVerify Fix Applied:
Confirm version is 1.9+ and test with sample XSS payload in 3D tag attributes📡 Detection & Monitoring
Log Indicators:
- Unusual attribute patterns in 3D tags
- JavaScript execution errors in browser logs
Network Indicators:
- External script loads from 3D content pages
SIEM Query:
source="mediawiki.log" AND "<3d" AND ("onclick" OR "onload" OR "javascript:")