CVE-2025-62668
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia | mediawiki_growth_experiments_extension | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62668 is a broken access control vulnerability in the GrowthExperiments extension of MediaWiki. It allows any user, including unauthenticated ones, to arbitrarily assign themselves or others as mentors or mentees via the `action=growthsetmentor` API without proper permission checks. The API did not verify if the assigned mentor was a registered mentor or if the user had the necessary permissions, enabling unauthorized mentor-mentee relationship assignments. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized users manipulating mentor-mentee relationships within the MediaWiki GrowthExperiments extension. Such unauthorized changes could undermine trust in the mentorship system, potentially allowing malicious users to gain influence or disrupt user interactions by falsely assigning mentor roles, which may affect user experience and the integrity of the platform. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or testing the API endpoint `/wiki/Special:ApiSandbox#action=growthsetmentor` for unauthorized mentor-mentee assignment attempts. You can attempt to call this API as an unauthenticated or unauthorized user to see if mentor relationships can be arbitrarily set without proper permissions. For example, using curl or similar HTTP clients to send requests to this endpoint with different user credentials or no authentication to check if mentor assignments are accepted. Specific commands are not provided in the resources, but testing unauthorized API calls to the `growthsetmentor` action is the recommended approach. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch that enforces permission checks on the `growthsetmentor` API, ensuring that only registered mentors or users with explicit `setmentor` permission can assign or change mentor relationships. If patching immediately is not possible, restrict access to the `growthsetmentor` API endpoint to trusted users only, or disable the GrowthExperiments extension temporarily to prevent exploitation. Monitoring and auditing mentor assignment changes can also help detect unauthorized activity until the fix is applied. [1]