CVE-2025-21612 · TabberNeue is a MediaWiki extension

01 · The Real Story

This is less a drive-by break-in than a poisoned sticky note left on an internal wiki page

CVE-2025-21612 is an XSS flaw in the TabberNeue MediaWiki extension's TabberTransclude path. In versions >= 1.9.1 and < 2.7.2, the extension prints an invalid transcluded page name into an HTML error block without escaping it, so a crafted pageName inside <tabbertransclude> can inject script into the rendered wiki page. The vendor fix landed in commit f229cab and shipped in release 2.7.2 on 2025-01-04; the CVE was disclosed on 2025-01-06.

The vendor's 8.6 HIGH score overrates real-world enterprise risk because the CVSS assumes pure unauthenticated network reachability with no user interaction, while the practical chain usually requires the attacker to be able to edit wiki content or otherwise cause crafted wikitext to be rendered in a TabberNeue-enabled wiki. That makes this a *post-exposure content-authoring abuse case*, not a broad internet worm path. It still matters because successful stored XSS against a wiki can target privileged editors and admins, but the reachable population is much narrower than the score suggests.

"High on paper, medium in practice: this XSS usually needs page-edit capability inside a niche MediaWiki deployment."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a wiki that actually uses TabberNeue transclusion

The attacker first needs a MediaWiki deployment with the TabberNeue extension enabled and using the <tabbertransclude> feature. The vulnerable code path was introduced by commit d8c3db4, which added transclusion handling that later emitted an unescaped invalid title into HTML. This is not generic MediaWiki exposure; it is an extension-specific feature path.

Conditions required:

MediaWiki instance has TabberNeue installed
Version is >= 1.9.1 and < 2.7.2
<tabbertransclude> content is allowed/rendered on reachable pages

Where this breaks in practice:

There is no reliable internet-scale fingerprint for this extension from the edge alone
Many MediaWiki sites do not run this extension at all
Even where installed, the vulnerable path only matters if transclusion syntax is used

Detection/coverage: External scanners usually miss this; SBOM/package inventory or file-based checks on the wiki host are more reliable than perimeter scans.

STEP 02

Gain content-authoring ability

To weaponize the bug, the attacker needs to create or edit wiki content containing a malicious <tabbertransclude> entry with a crafted invalid pageName. The GitHub advisory explicitly says any user that can edit pages or otherwise render wikitext can XSS other users. On many enterprise wikis, that means authenticated contributors, not random internet users.

Conditions required:

Anonymous editing is enabled, or attacker has a contributor account, or another workflow can render attacker-supplied wikitext
Page edits are not moderated before publication

Where this breaks in practice:

SSO, role-based editing, moderation queues, and private wiki access all cut exposure hard
AbuseFilter/custom content rules may block obvious payloads
Read-only documentation wikis remove the easiest authoring path

Detection/coverage: Change auditing in MediaWiki, AbuseFilter logs, and page diff review can catch suspicious <tabbertransclude> content if defenders are looking.

STEP 03

Trigger the unescaped invalid-title branch

The malicious entry must drive execution into the invalid-title error path where sprintf('<div class="error">Invalid title: %s</div>', $pageName) reflected attacker input directly. The fixing commit changed this to Sanitizer::escapeHtmlAllowEntities( $pageName ), closing the sink. The GHSA notes that only this first XSS was reproducible in production.

Conditions required:

Crafted pageName is invalid enough to hit the error branch
Injected payload survives wiki parsing into the vulnerable sink

Where this breaks in practice:

This is a specific branch condition, not every tab definition
Parser behavior and content sanitation can break low-quality payloads
The advisory itself narrows reproducibility to one confirmed sink

Detection/coverage: Code-aware SAST or targeted grep of includes/TabberTransclude.php can detect the vulnerable sink; generic DAST is hit-or-miss unless it understands MediaWiki syntax.

STEP 04

Wait for a victim to view the poisoned page

Although the CNA vector marks UI:N, the operational reality of stored wiki XSS is that a victim user still has to render the poisoned page for the browser-side payload to execute. If that user is a privileged editor or wiki admin, the attacker can steal session context, perform actions in the victim's browser, or pivot into administrative changes inside the wiki.

Conditions required:

Another user visits the malicious page
Browser executes the injected script under the wiki origin

Where this breaks in practice:

No victim view means no impact
Short-lived sessions, SameSite cookies, CSP, and re-auth flows can blunt follow-on abuse
Impact is usually bounded to the wiki application and its trust relationships

Detection/coverage: Browser-side XSS is hard for network scanners to see; look for anomalous admin actions after page views, suspicious page revisions, and CSP/report-uri telemetry if enabled.

03 · Intelligence Metadata

The supporting signals.

In the wild	No evidence found of active exploitation campaigns in the sources reviewed. Not in CISA KEV.
Proof-of-concept availability	There is a clear vendor advisory and code-level sink disclosure in the GHSA, plus the vulnerable and fixing commits. I did not find a widely shared standalone exploit repo in GitHub search results.
EPSS	`0.00258` from the user-supplied intel block — very low predicted exploitation probability.
KEV status	No. CVE-2025-21612 does not appear in the CISA Known Exploited Vulnerabilities Catalog.
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L` is the CNA score, but the practical chain usually implies content creation rights and a viewer/admin victim, so the real-world path behaves closer to authenticated or semi-trusted content injection than true drive-by unauthenticated exploitation.
Affected versions	GitLab's advisory database lists all versions from `1.9.1` before `2.7.2` as affected.
Fixed versions	Upgrade to `2.7.2` or later. I found no distro backport advisory in the sources reviewed.
Exposure population	This is a niche extension problem, not a core MediaWiki flaw. MediaWiki.org shows TabberNeue is used in some wiki ecosystems such as Miraheze, MyWikis, ProWiki, Telepedia, and wiki.gg, but there is no strong internet-scale fingerprint proving broad enterprise exposure.
Disclosure and patch timing	Patch release `2.7.2` shipped 2025-01-04; GHSA was published 2025-01-04; NVD shows the CVE published 2025-01-06.
Researcher / reporting org	The GitHub advisory was published by `alistair3149`, the project maintainer, through GitHub Security Advisories.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.8/10)

The decisive factor is that this bug is usually only reachable after the attacker can author or inject wiki content on a TabberNeue-enabled MediaWiki instance. That sharply reduces exposed population and makes this a *stored XSS inside an already reachable collaboration platform*, not a broad unauthenticated edge compromise.

HIGH Affected/fixed version range and vulnerable sink identification

MEDIUM Real-world exploitability downgrade from the CNA CVSS assumptions

MEDIUM Absence of public exploitation evidence

Why this verdict

Downward pressure: requires attacker content position in most real deployments. The advisory says exploitation comes from users who can edit pages or otherwise render wikitext; that usually implies authenticated contributor access or a permissive anonymous-edit wiki, not arbitrary internet reachability.
Downward pressure: narrow product and feature population. This is not core MediaWiki; it is a third-party extension, and the vulnerable sink is in the TabberTransclude path specifically, so only a subset of MediaWiki estates are even candidates.
Downward pressure: no KEV, no active-campaign evidence, very low EPSS. With no known in-the-wild exploitation signal and a low predicted exploitation probability, there is no intel amplifier justifying a HIGH bucket.
Upward pressure: stored XSS can still hit admins. If an attacker can plant the payload and lure a privileged wiki user to the page, same-origin script execution can steal session context or drive admin actions inside the wiki.

Why not higher?

It is not higher because the attack chain compounds several real-world prerequisites: the target must run a niche extension, the vulnerable transclusion mode must be present, and the attacker usually needs page-edit capability or another route to render crafted wikitext. That is meaningful friction for an enterprise patch queue. The absence of KEV listing, public exploit tooling, or active exploitation telemetry removes the main reasons to keep this in HIGH.

Why not lower?

It is not lower because stored XSS on a collaboration platform can still become account takeover or privileged action execution when an admin views the page. In organizations where documentation wikis are integrated with SSO and have high-trust admin sessions, the blast radius is limited but not trivial.

05 · Compensating Control

What to do — in priority order.

Restrict who can edit pages using TabberNeue — Limit edit rights for namespaces or groups that can publish <tabbertransclude> content, and do it immediately as an administrative control while you work the fix. For a MEDIUM verdict there is no formal noisgate mitigation SLA, but this is the cleanest exposure reducer because it removes the attacker's authoring position.
Add AbuseFilter or content linting rules — Create a rule to flag or block new <tabbertransclude> entries containing suspicious title strings, HTML metacharacters, or obvious XSS probes. This is useful as a temporary control and should be deployed as soon as your wiki admins can safely test it.
Review recent page revisions for the tag — Search for pages containing <tabbertransclude> and inspect recent edits for invalid titles or payload-like strings. Do this during the same remediation cycle so you are not just patching forward while leaving stored payloads in content.
Enable or tighten CSP reporting on the wiki — A browser Content-Security-Policy with reporting will not guarantee prevention, but it improves visibility into attempted script execution from poisoned pages. Roll this out carefully to avoid breaking legitimate wiki features and use it for detection rather than as your only control.

What doesn't work

A perimeter WAF alone is weak here because the payload is stored in wiki content and rendered later; this is not just a single HTTP request signature problem.
Generic network vulnerability scans usually will not tell you whether TabberNeue is installed or whether the vulnerable sink is present.
Relying on MFA does not stop the browser-side script once a victim is already logged into the wiki.

06 · Verification

Crowdsourced verification payload.

Run this on the MediaWiki application host where the TabberNeue extension files are installed. Invoke it as bash check-tabberneue-cve-2025-21612.sh /var/www/mediawiki/extensions/TabberNeue; read access to the extension directory is enough, root is not required.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-tabberneue-cve-2025-21612.sh
# Detect CVE-2025-21612 in MediaWiki TabberNeue by inspecting the vulnerable sink.
# Usage: bash check-tabberneue-cve-2025-21612.sh /path/to/extensions/TabberNeue
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

EXT_DIR="${1:-}"
if [[ -z "$EXT_DIR" ]]; then
  echo "UNKNOWN: missing argument. Usage: $0 /path/to/extensions/TabberNeue"
  exit 2
fi

TARGET="$EXT_DIR/includes/TabberTransclude.php"
if [[ ! -f "$TARGET" ]]; then
  echo "UNKNOWN: file not found: $TARGET"
  exit 2
fi

# Patched sink from commit f229cab:
#   Sanitizer::escapeHtmlAllowEntities( $pageName )
# Vulnerable sink:
#   sprintf( '<div class="error">Invalid title: %s</div>', $pageName );

if grep -Fq "Sanitizer::escapeHtmlAllowEntities( \$pageName )" "$TARGET"; then
  echo "PATCHED: escaping sink present in $TARGET"
  exit 0
fi

if grep -Fq "<div class=\"error\">Invalid title: %s</div>', \$pageName" "$TARGET"; then
  echo "VULNERABLE: unescaped Invalid title sink present in $TARGET"
  exit 1
fi

# Fallback heuristics in case formatting differs.
if grep -Fq "Invalid title: %s" "$TARGET"; then
  if grep -Fq "escapeHtmlAllowEntities" "$TARGET"; then
    echo "PATCHED: invalid-title sink exists but escaping helper is present"
    exit 0
  fi
  echo "UNKNOWN: invalid-title sink found, but could not confirm escaping state"
  exit 2
fi

echo "UNKNOWN: expected sink pattern not found; file may be heavily modified or from an unsupported branch"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify every MediaWiki host running TabberNeue, then verify whether any instance is below 2.7.2 and whether untrusted or broad contributor groups can publish <tabbertransclude> content. For this MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window under the noisgate remediation SLA, but do the inventory and authoring-rights review now so these boxes do not disappear into backlog fog; if you cannot patch promptly, reduce edit exposure and review existing pages using the tag during the same maintenance cycle.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.