CVE-2025-61644 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-61644?

CVE-2025-61644 has a CVSS score of N/A (Unknown). This CVE describes a cross-site scripting (XSS) vulnerability in MediaWiki's WatchlistTopSectionWidget.js component. It allows attackers to inject malicious scripts into web pages, potentially compromising user sessions or stealing sensitive data. All MediaWiki instances using affected versions are vulnerable.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in MediaWiki's WatchlistTopSectionWidget.js component. It allows attackers to inject malicious scripts into web pages, potentially compromising user sessions or stealing sensitive data. All MediaWiki instances using affected versions are vulnerable.

💻 Affected Systems

Products:

Wikimedia Foundation MediaWiki

Versions: All versions before commit fb856ce9cf121e046305116852cca4899ecb48ca

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the RCFilters UI component specifically in watchlist functionality

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Session hijacking, cookie theft, or limited defacement of user-specific interface elements.

🟢

If Mitigated

Script execution limited to user's own browser session with minimal data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

XSS vulnerabilities typically require user interaction or specific conditions to trigger

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit fb856ce9cf121e046305116852cca4899ecb48ca and later

Vendor Advisory: https://phabricator.wikimedia.org/T403411

Restart Required: No

Instructions:

1. Update MediaWiki to version containing commit fb856ce9cf121e046305116852cca4899ecb48ca or later. 2. Clear browser caches. 3. Verify the fix by checking the commit hash in your installation.

🔧 Temporary Workarounds

Disable RCFilters UI

all

Temporarily disable the affected RCFilters UI component to prevent exploitation

Add $wgRCFiltersEnabled = false; to LocalSettings.php

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact

Add Content-Security-Policy headers to web server configuration

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Disable watchlist functionality for non-essential users

🔍 How to Verify

Check if Vulnerable:

Check if MediaWiki version includes commit fb856ce9cf121e046305116852cca4899ecb48ca. If not, you are vulnerable.

Check Version:

git log --oneline -1 resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.js

Verify Fix Applied:

Verify the commit hash is present in your installation and test watchlist functionality for script injection.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags in watchlist-related requests
JavaScript payloads in URL parameters

Network Indicators:

Suspicious script injections in HTTP requests to watchlist endpoints

SIEM Query:

web_requests WHERE url CONTAINS 'watchlist' AND (body CONTAINS '<script>' OR params CONTAINS 'javascript:')

📊 Metadata

CVE ID: CVE-2025-61644

CVSS v3 Score: N/A (Unknown)

CWE: CWE-79

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T403411