Executive Summary

CVE-2025-62669 is a vulnerability in the MediaWiki CentralAuth Extension where the function responsible for counting active suppress blocks across multiple wikis incorrectly includes suppress blocks from other wikis without verifying if the requesting user has permission to see them. This means users without proper rights can see information about suppress blocks on other wikis, leading to exposure of sensitive information. The issue stems from a bug in the CentralAuthUser::getBlocks() method. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized exposure of sensitive information about user suppress blocks on other wikis. Users without the necessary permissions can learn about the presence of suppress blocks that they should not be able to see, potentially compromising privacy and security within the Wikimedia environment. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by enabling the UserInfoCard feature on a test wiki and querying a user known to have suppress blocks on another wiki. If the API response incorrectly shows the 'activeLocalBlocksAllWikis' count as 1 instead of 0, it indicates the presence of the vulnerability. Specifically, you can perform an API query to check the 'activeLocalBlocksAllWikis' value for a user with suppress blocks on a non-local wiki and observe if suppress blocks are improperly included without permission checks. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the short-term fix that excludes all suppress blocks from the results returned by the 'CentralAuthUser::getBlocks()' method. This fix was deployed during the August 18, 2025 security deployment window and is included in patches merged into the master, REL1_43, and REL1_44 branches of the CentralAuth extension. Ensuring your MediaWiki installation is updated with these patches will mitigate the vulnerability. [1]

Useful 0 Not Useful 0