CVE-2025-62652 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the MediaWiki WebAuthn extension versions 1.39, 1.43, and 1.44. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. This flaw allows an attacker with limited privileges (requiring authentication) and user interaction to inject malicious JavaScript code that is stored and later executed in the browsers of other users who view the affected pages. The attack vector is network-based, and the attack complexity is low, but exploitation requires the attacker to be authenticated and to trick a user into interacting with the malicious content. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of other users. Availability impact is not significant. The vulnerability does not require elevated privileges beyond authenticated user access, and no known exploits have been reported in the wild as of the publication date. The CVSS 4.0 score of 5.8 reflects these factors, categorizing the issue as medium severity. The WebAuthn extension is used to enhance authentication mechanisms in MediaWiki, a widely deployed open-source wiki platform used by organizations globally, including many European institutions. The vulnerability stems from insufficient input sanitization in the WebAuthn extension's web page generation process, allowing malicious payloads to be stored and served to other users. This can undermine trust in the platform and lead to broader security incidents if exploited.

For European organizations, the impact of this vulnerability can be significant, especially for public sector entities, educational institutions, and collaborative knowledge bases that rely on MediaWiki with the WebAuthn extension for secure authentication. Exploitation could lead to unauthorized access to user sessions, theft of sensitive information, and potential manipulation of wiki content or user credentials. This can result in reputational damage, data breaches, and disruption of critical information-sharing platforms. Since the vulnerability requires authenticated access and user interaction, insider threats or compromised user accounts could be leveraged to launch attacks. The widespread use of MediaWiki in government, research, and cultural institutions across Europe increases the risk profile. Additionally, the vulnerability could be exploited to target high-value users or administrators, amplifying the potential damage. Although no known exploits are currently in the wild, the presence of this vulnerability in multiple versions means that unpatched systems remain at risk. The medium severity rating suggests that while the threat is not critical, it should not be ignored due to the potential for privilege escalation and data compromise within trusted environments.

European organizations should take the following specific mitigation steps: 1) Immediately identify and inventory all MediaWiki installations using the WebAuthn extension versions 1.39, 1.43, or 1.44. 2) Monitor official Wikimedia Foundation channels for patches or updates addressing CVE-2025-62652 and apply them promptly once available. 3) Until patches are released, implement strict input validation and output encoding on all user-supplied data within the WebAuthn extension to prevent malicious script injection. 4) Restrict WebAuthn extension usage to trusted user groups and limit permissions to reduce the attack surface. 5) Enhance user awareness and training to recognize and avoid interacting with suspicious links or content that could trigger XSS payloads. 6) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in MediaWiki pages. 7) Conduct regular security audits and penetration testing focused on web application vulnerabilities, especially XSS. 8) Monitor logs for unusual activities related to WebAuthn extension usage and user sessions. 9) Consider disabling the WebAuthn extension temporarily if it is not critical to operations until a secure version is deployed. These targeted actions go beyond generic advice by focusing on the specific affected component and the operational context of European organizations.