CVE-2025-62669
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia | mediawiki | 1.39 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62669 is a vulnerability in the MediaWiki CentralAuth Extension where the function responsible for counting active suppress blocks across multiple wikis incorrectly includes suppress blocks from other wikis without verifying if the requesting user has permission to see them. This means users without proper rights can see information about suppress blocks on other wikis, leading to exposure of sensitive information. The issue stems from a bug in the CentralAuthUser::getBlocks() method. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized exposure of sensitive information about user suppress blocks on other wikis. Users without the necessary permissions can learn about the presence of suppress blocks that they should not be able to see, potentially compromising privacy and security within the Wikimedia environment. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by enabling the UserInfoCard feature on a test wiki and querying a user known to have suppress blocks on another wiki. If the API response incorrectly shows the 'activeLocalBlocksAllWikis' count as 1 instead of 0, it indicates the presence of the vulnerability. Specifically, you can perform an API query to check the 'activeLocalBlocksAllWikis' value for a user with suppress blocks on a non-local wiki and observe if suppress blocks are improperly included without permission checks. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the short-term fix that excludes all suppress blocks from the results returned by the 'CentralAuthUser::getBlocks()' method. This fix was deployed during the August 18, 2025 security deployment window and is included in patches merged into the master, REL1_43, and REL1_44 branches of the CentralAuth extension. Ensuring your MediaWiki installation is updated with these patches will mitigate the vulnerability. [1]