CVE-2025-11173
Unknown Unknown - Not Provided
Authentication Bypass in Wikimedia OATHAuth's OATHManage.php Component

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: wikimedia-foundation

Description
Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11173
EUVD
EUVD-2025-206638
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
wikimedia mediawiki From 1.39.14|end_including=1.39.14 (exc)
wikimedia mediawiki 1.43.4
wikimedia mediawiki 1.44.1
wikimedia mediawiki 1.45.0-wmf.16
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11173 is a security vulnerability in MediaWiki's two-factor authentication management page (Special:Manage_Two-factor_authentication). Normally, users must reauthenticate by entering their password before enabling two-factor authentication (2FA) to ensure security. However, due to a flaw, an attacker who has stolen a user session but does not know the password can bypass this reauthentication step by submitting a specially crafted POST request directly to the 2FA enable URL. This allows the attacker to enable 2FA without password verification, potentially compromising account security. [1]

Impact Analysis

This vulnerability can allow an attacker who has stolen a user's session to enable two-factor authentication on the victim's account without knowing the password. This bypass of the reauthentication requirement could lead to unauthorized changes in the account's security settings, potentially locking the legitimate user out or enabling the attacker to manipulate authentication methods, thereby compromising account integrity and security. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the URL path related to two-factor authentication management, specifically POST requests to Special:Manage_Two-factor_authentication or Special:OATHManage pages that bypass the reauthentication step. Detection can involve inspecting web server logs or using tools to capture HTTP requests and look for POST requests to URLs like '/w/index.php?title=Special:Manage_Two-factor_authentication&action=enable&module=totp' that do not follow the expected GET request flow. Commands to detect such activity might include using grep on web server logs, for example: `grep 'POST.*Special:Manage_Two-factor_authentication' /var/log/apache2/access.log` or using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to these URLs. However, no specific commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include updating the MediaWiki OATHAuth extension to a fixed version where the vulnerability is patched (versions 1.39.14, 1.43.4, 1.44.1 or later). The fix enforces full reauthentication on all visits and actions on the Special:OATHManage page, including POST requests, preventing bypass of the reauthentication requirement. Applying these updates ensures that attackers cannot bypass the reauthentication step when enabling two-factor authentication. Additionally, reviewing and enforcing strict session management and monitoring for suspicious POST requests to the 2FA management pages can help mitigate exploitation until patches are applied. [1, 2]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart