CVE-2025-59839
Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes
Description
### Summary The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. ### Details The attributes of an iframe are populated with the value of an unreserved data attribute (`data-iframeconfig`) that can be set via wikitext: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/ext.embedVideo.videolink.js#L5-L20 Similar code is also present here: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/modules/iframe.js#L139-L155 It is possible to execute JS through attributes like `onload` or `onmouseenter`. ### PoC 1. Create a page with the following contents: ```html <div class="embedvideo-evl" data-iframeconfig='{"onload": "alert(1)"}'>Click me!</div> <evlplayer></evlplayer> ``` 2. Click on the "Click me!" text 3. Click on the "Load video" button below <img width="855" height="404" alt="image" src="https://github.com/user-attachments/assets/afb3839a-012c-4e90-a208-a6137b704ccd" /> ### Impact Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.
How to fix CVE-2025-59839
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2025-59839 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 4.0.0