CVE-2025-21612

CVE-2025-21612 is a high-severity cross-site scripting (XSS) vulnerability in starcitizentools/tabber-neue (composer), affecting versions >= 1.9.1, < 2.7.2. It is fixed in 2.7.2.

Summary

There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users.

Edit: Only the first XSS can be reproduced in production.

Details

✅ Verified and patched in f229cab099c69006e25d4bad3579954e481dc566

https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberTransclude.php#L154
This doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here.

This was caused by d8c3db4e5935476e496d979fb01f775d3d3282e6.

❌ Invalid as MediaWiki parser sanitizes dangerous HTML

https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/Tabber.php#L160
The documentation for Parser::recursiveTagParse() states that it returns unsafe HTML, and the $content being supplied is from user input.

This was caused by 95351812613e04717f3ad7844cfcc67e4ede4d11.

❌ Invalid as TabberParsoid is not being used

https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberParsoid.php#L96
This uses unescaped user input as the attribute of an element, thus allowing the user to break out of the attribute or element and injecting arbitrary attributes to the element, or inserting new ones (such as a script tag).

This was caused by 8278e665480f08da635aee383c6b5caaeca26ba3.

PoC

For the first XSS, render the following wikitext (whether it be through saving it to a page and viewing it, or via Special:ExpandTemplates):

<tabbertransclude>
<script>alert(1)</script> | hehe
</tabbertransclude>

For the second XSS, I have given up attempting to reproduce it after over twenty minutes of "surfing through the internals of the MediaWiki parser fishing for an XSS out of this giant contraption as I bring myself deeper and deeper into the cogs of the machine that no one knows how to maintain or fully operate ever since its conception".

For the third XSS, this is unreachable as the class is never used, though it should be fixed anyway (or the file removed).

Impact

Any user with the ability to cause another user to render wikitext (such as viewing a page that the user can edit, or an attacker tricking the victim to click on a link to Special:ExpandTemplates with the malicious wikitext in the wpInput parameter) can XSS said user.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2025-21612 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.7.2); upgrading removes the vulnerable code path.

Affected versions

starcitizentools/tabber-neue (>= 1.9.1, < 2.7.2)

Security releases

starcitizentools/tabber-neue → 2.7.2 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade starcitizentools/tabber-neue to 2.7.2 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-21612? CVE-2025-21612 is a high-severity cross-site scripting (XSS) vulnerability in starcitizentools/tabber-neue (composer), affecting versions >= 1.9.1, < 2.7.2. It is fixed in 2.7.2. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2025-21612? CVE-2025-21612 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of starcitizentools/tabber-neue are affected by CVE-2025-21612? starcitizentools/tabber-neue (composer) versions >= 1.9.1, < 2.7.2 is affected.
  4. Is there a fix for CVE-2025-21612? Yes. CVE-2025-21612 is fixed in 2.7.2. Upgrade to this version or later.
  5. Is CVE-2025-21612 exploitable, and should I be worried? Whether CVE-2025-21612 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-21612 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-21612? Upgrade starcitizentools/tabber-neue to 2.7.2 or later.

Other vulnerabilities in starcitizentools/tabber-neue

CVE-2025-21612

Stop the waste.
Protect your environment with Kodem.