CVE-2025-11173
Authentication Bypass in Wikimedia OATHAuth's OATHManage.php Component
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia | mediawiki | From 1.39.14|end_including=1.39.14 (exc) |
| wikimedia | mediawiki | 1.43.4 |
| wikimedia | mediawiki | 1.44.1 |
| wikimedia | mediawiki | 1.45.0-wmf.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11173 is a security vulnerability in MediaWiki's two-factor authentication management page (Special:Manage_Two-factor_authentication). Normally, users must reauthenticate by entering their password before enabling two-factor authentication (2FA) to ensure security. However, due to a flaw, an attacker who has stolen a user session but does not know the password can bypass this reauthentication step by submitting a specially crafted POST request directly to the 2FA enable URL. This allows the attacker to enable 2FA without password verification, potentially compromising account security. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has stolen a user's session to enable two-factor authentication on the victim's account without knowing the password. This bypass of the reauthentication requirement could lead to unauthorized changes in the account's security settings, potentially locking the legitimate user out or enabling the attacker to manipulate authentication methods, thereby compromising account integrity and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the URL path related to two-factor authentication management, specifically POST requests to Special:Manage_Two-factor_authentication or Special:OATHManage pages that bypass the reauthentication step. Detection can involve inspecting web server logs or using tools to capture HTTP requests and look for POST requests to URLs like '/w/index.php?title=Special:Manage_Two-factor_authentication&action=enable&module=totp' that do not follow the expected GET request flow. Commands to detect such activity might include using grep on web server logs, for example: `grep 'POST.*Special:Manage_Two-factor_authentication' /var/log/apache2/access.log` or using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to these URLs. However, no specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the MediaWiki OATHAuth extension to a fixed version where the vulnerability is patched (versions 1.39.14, 1.43.4, 1.44.1 or later). The fix enforces full reauthentication on all visits and actions on the Special:OATHManage page, including POST requests, preventing bypass of the reauthentication requirement. Applying these updates ensures that attackers cannot bypass the reauthentication step when enabling two-factor authentication. Additionally, reviewing and enforcing strict session management and monitoring for suspicious POST requests to the 2FA management pages can help mitigate exploitation until patches are applied. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.