CVE-2025-62666
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-18

Last updated on: 2025-10-21

Assigner: wikimedia-foundation

Description
Allocation of Resources Without Limits or Throttling vulnerability in The Wikimedia Foundation Mediawiki - CirrusSearch Extension allows HTTP DoS.This issue affects Mediawiki - CirrusSearch Extension: from master before 1.43.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-18
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62666
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wikimedia mediawiki cirrussearch
wikimedia mediawiki *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62666 is a denial-of-service (DoS) vulnerability in the CirrusSearch extension of MediaWiki. It occurs when certain complex pages cause the parsing and document-building process in the `cirrusbuilddoc` query API to exceed execution time limits, leading to repeated request timeouts and internal API errors. This resource exhaustion allows an attacker to disrupt service by causing these timeouts during search indexing operations. [1]

Impact Analysis

This vulnerability can impact you by causing denial-of-service conditions on MediaWiki instances using the CirrusSearch extension. Specifically, it can lead to service disruptions due to repeated timeouts and failures in the search indexing process, potentially making search functionality unavailable or unreliable. [1]

Detection Guidance

This vulnerability can be detected by monitoring for repeated timeouts or internal API errors related to the `cirrusbuilddoc` query API in the CirrusSearch extension of MediaWiki. Specifically, look for `RequestTimeoutException` errors during search indexing operations, especially when parsing complex pages. Commands to detect this might include checking MediaWiki logs for timeout errors or using network monitoring tools to identify repeated failed API calls to the `cirrusbuilddoc` endpoint. For example, you could use `grep 'RequestTimeoutException' /path/to/mediawiki/logs` to find relevant errors or use curl to test the API endpoint: `curl -v 'https://your-mediawiki-instance/api.php?action=cirrusbuilddoc&format=json'` and observe for timeouts or failures. [1]

Mitigation Strategies

Immediate mitigation steps include applying the patches developed for the CirrusSearch extension that introduce the `PoolCounter` mechanism to limit and control resource usage during `cirrusbuilddoc` operations. This prevents excessive resource consumption and request timeouts. If patching is not immediately possible, consider limiting or blocking access to the `cirrusbuilddoc` query API to reduce the risk of DoS attacks. Monitoring and throttling requests to this API can also help mitigate the impact until patches are applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart