CVE-2025-32067 is a security vulnerability identified in the Growth Experiments Extension of Mediawiki, a widely used open-source wiki platform maintained by The Wikimedia Foundation. The vulnerability stems from improper input validation (CWE-20) within the Growth Experiments Extension versions 1.39 through 1.43. Improper input validation means that the extension does not adequately verify or sanitize user-supplied input before processing it. This flaw enables an attacker to inject malicious scripts into the web application, resulting in a Cross-Site Scripting (XSS) attack. XSS vulnerabilities allow attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies or credentials. The Growth Experiments Extension is designed to facilitate A/B testing and feature experiments within Mediawiki installations, meaning it is often active on Mediawiki deployments that customize user experience or test new features. The vulnerability affects Mediawiki versions from 1.39 through 1.43, which are recent releases, indicating that many current deployments could be impacted if they use this extension. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication. However, the presence of improper input validation in a web-facing component makes this a significant risk, especially for public-facing wikis. Attackers do not require authentication to exploit this vulnerability if the extension processes user input from unauthenticated users, which is common in public wiki environments. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for administrators to apply mitigations or monitor for updates.

For European organizations using Mediawiki with the Growth Experiments Extension enabled, this vulnerability poses a risk to the confidentiality and integrity of their web platforms. Public-facing wikis, including those used by government agencies, educational institutions, and private enterprises, could be targeted to execute XSS attacks that compromise user sessions or inject misleading content. This could lead to reputational damage, data leakage, or unauthorized access to internal resources if session tokens or credentials are stolen. Additionally, attackers could use the vulnerability as a foothold to conduct further attacks such as phishing or malware distribution. Given the collaborative nature of wikis, the integrity of information is critical; XSS attacks could undermine trust in the platform by enabling content tampering or misinformation. The availability impact is generally limited for XSS, but persistent exploitation could lead to denial-of-service conditions if combined with other attack vectors. Since Mediawiki is widely used across Europe in various sectors, the potential impact is broad, especially for organizations that rely on wikis for knowledge management and public communication.

Administrators should immediately review their Mediawiki installations to determine if the Growth Experiments Extension versions 1.39 through 1.43 are in use. If so, they should consider disabling the extension temporarily until a security patch is released. In the absence of an official patch, applying web application firewall (WAF) rules to detect and block suspicious input patterns related to XSS can reduce risk. Input sanitization and output encoding should be enforced at the application level, potentially by customizing the extension code to validate and escape user inputs rigorously. Monitoring web server logs and user activity for unusual patterns indicative of XSS attempts is also recommended. Organizations should subscribe to Wikimedia Foundation security advisories to receive timely updates and apply patches promptly once available. Additionally, educating users about the risks of clicking on suspicious links or executing scripts can help mitigate social engineering aspects of XSS attacks. Finally, implementing Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting the sources from which scripts can be loaded.