CVE-2025-62668
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-18

Last updated on: 2025-10-21

Assigner: wikimedia-foundation

Description
Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-18
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62668
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wikimedia mediawiki_growth_experiments_extension *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62668 is a broken access control vulnerability in the GrowthExperiments extension of MediaWiki. It allows any user, including unauthenticated ones, to arbitrarily assign themselves or others as mentors or mentees via the `action=growthsetmentor` API without proper permission checks. The API did not verify if the assigned mentor was a registered mentor or if the user had the necessary permissions, enabling unauthorized mentor-mentee relationship assignments. [1]

Impact Analysis

This vulnerability can lead to unauthorized users manipulating mentor-mentee relationships within the MediaWiki GrowthExperiments extension. Such unauthorized changes could undermine trust in the mentorship system, potentially allowing malicious users to gain influence or disrupt user interactions by falsely assigning mentor roles, which may affect user experience and the integrity of the platform. [1]

Detection Guidance

This vulnerability can be detected by monitoring or testing the API endpoint `/wiki/Special:ApiSandbox#action=growthsetmentor` for unauthorized mentor-mentee assignment attempts. You can attempt to call this API as an unauthenticated or unauthorized user to see if mentor relationships can be arbitrarily set without proper permissions. For example, using curl or similar HTTP clients to send requests to this endpoint with different user credentials or no authentication to check if mentor assignments are accepted. Specific commands are not provided in the resources, but testing unauthorized API calls to the `growthsetmentor` action is the recommended approach. [1]

Mitigation Strategies

Immediate mitigation steps include applying the patch that enforces permission checks on the `growthsetmentor` API, ensuring that only registered mentors or users with explicit `setmentor` permission can assign or change mentor relationships. If patching immediately is not possible, restrict access to the `growthsetmentor` API endpoint to trusted users only, or disable the GrowthExperiments extension temporarily to prevent exploitation. Monitoring and auditing mentor assignment changes can also help detect unauthorized activity until the fix is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62668. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart