CVE-2025-61636: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-61636 is a Cross-Site Scripting (XSS) vulnerability discovered in MediaWiki's Codex Special:Block interface. The vulnerability was identified on May 15, 2025, affecting MediaWiki versions that have $wgUseCodexSpecialBlock enabled. The issue specifically involves message key XSS in the ipbsubmit message that was not properly escaped (Phabricator).

The vulnerability exists in the Codex Special:Block interface where the rawElement $content in the button label was not properly escaped. The issue occurs specifically when the form displayFormat is set to codex, affecting both the direct interface and instances where buildCodexComponent is called from CodexHTMLForm.php. The vulnerability was discovered using the x-xss language testing method, which helps identify messages that are not properly escaped in MediaWiki interfaces (Phabricator).

The vulnerability allows for potential Cross-Site Scripting attacks through message key manipulation in the Codex Special:Block interface. While the risk rating was classified as Low by the Wikimedia security team, it could potentially allow attackers to inject malicious scripts through unescaped message content (Phabricator).

The vulnerability was initially patched by escaping the rawElement $content in the buildCodexComponent function. However, this fix was later reverted due to double-escaping concerns, as the parameter was already marked as @param-taint $buttonLabel exec_html and all callers outside of HTMLButtonField were already escaping the label. The final fix was implemented through a separate patch addressing the proper escaping mechanism (Phabricator).

The vulnerability was handled through Wikimedia's security response process, with multiple developers and security team members collaborating on the fix. The issue generated significant technical discussion regarding the proper approach to message escaping in MediaWiki's codebase (Phabricator).