CVE-2025-62666
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia | mediawiki | cirrussearch |
| wikimedia | mediawiki | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62666 is a denial-of-service (DoS) vulnerability in the CirrusSearch extension of MediaWiki. It occurs when certain complex pages cause the parsing and document-building process in the `cirrusbuilddoc` query API to exceed execution time limits, leading to repeated request timeouts and internal API errors. This resource exhaustion allows an attacker to disrupt service by causing these timeouts during search indexing operations. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial-of-service conditions on MediaWiki instances using the CirrusSearch extension. Specifically, it can lead to service disruptions due to repeated timeouts and failures in the search indexing process, potentially making search functionality unavailable or unreliable. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for repeated timeouts or internal API errors related to the `cirrusbuilddoc` query API in the CirrusSearch extension of MediaWiki. Specifically, look for `RequestTimeoutException` errors during search indexing operations, especially when parsing complex pages. Commands to detect this might include checking MediaWiki logs for timeout errors or using network monitoring tools to identify repeated failed API calls to the `cirrusbuilddoc` endpoint. For example, you could use `grep 'RequestTimeoutException' /path/to/mediawiki/logs` to find relevant errors or use curl to test the API endpoint: `curl -v 'https://your-mediawiki-instance/api.php?action=cirrusbuilddoc&format=json'` and observe for timeouts or failures. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patches developed for the CirrusSearch extension that introduce the `PoolCounter` mechanism to limit and control resource usage during `cirrusbuilddoc` operations. This prevents excessive resource consumption and request timeouts. If patching is not immediately possible, consider limiting or blocking access to the `cirrusbuilddoc` query API to reduce the risk of DoS attacks. Monitoring and throttling requests to this API can also help mitigate the impact until patches are applied. [1]