CVE-2024-40597 – The CheckUser extension for MediaWiki fails to ... (How to Fix)

Q: What is the severity of CVE-2024-40597?

CVE-2024-40597 has a CVSS score of 7.5 (HIGH). The CheckUser extension for MediaWiki fails to respect the log_deleted attribute, allowing unauthorized users to view suppressed log information. This affects MediaWiki installations with the CheckUser extension enabled, potentially exposing sensitive administrative actions and user data that should remain hidden.

📋 TL;DR

The CheckUser extension for MediaWiki fails to respect the log_deleted attribute, allowing unauthorized users to view suppressed log information. This affects MediaWiki installations with the CheckUser extension enabled, potentially exposing sensitive administrative actions and user data that should remain hidden.

💻 Affected Systems

Products:

MediaWiki with CheckUser extension

Versions: MediaWiki through 1.42.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the CheckUser extension enabled. The vulnerability exists in how the extension handles suppressed log events.

📦 What is this software?

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access suppressed logs containing sensitive user information, administrative actions, or security-related events that should remain confidential, leading to privacy violations and potential targeted attacks.

🟠

Likely Case

Unauthorized users with access to the CheckUser interface can view log entries that should be suppressed, exposing information about user blocks, deletions, or other administrative actions.

🟢

If Mitigated

With proper access controls limiting CheckUser functionality to trusted administrators only, the impact is reduced to potential insider threats or compromised administrator accounts.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the CheckUser interface, which typically requires special permissions. The vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CheckUser extension version with fix applied

Vendor Advisory: https://phabricator.wikimedia.org/T326865

Restart Required: No

Instructions:

1. Update MediaWiki to latest version. 2. Update CheckUser extension to patched version. 3. Clear MediaWiki caches if necessary.

🔧 Temporary Workarounds

Disable CheckUser extension

all

Temporarily disable the CheckUser extension to prevent exploitation

Edit LocalSettings.php and comment out or remove wfLoadExtension('CheckUser');

Restrict CheckUser permissions

all

Limit CheckUser access to only essential administrators

Edit LocalSettings.php to modify $wgGroupPermissions array for checkuser group

🧯 If You Can't Patch

Restrict CheckUser permissions to minimal necessary administrators only
Implement additional logging and monitoring for CheckUser access attempts

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version and CheckUser extension version. If MediaWiki ≤ 1.42.1 with CheckUser extension, assume vulnerable.

Check Version:

Check MediaWiki version in includes/DefaultSettings.php or via Special:Version page

Verify Fix Applied:

Verify CheckUser extension respects log_deleted flag by testing with suppressed log entries.

📡 Detection & Monitoring

Log Indicators:

Unusual CheckUser queries, especially for suppressed log entries
Multiple failed permission checks for CheckUser access

Network Indicators:

HTTP requests to CheckUser special pages from unauthorized users

SIEM Query:

source="mediawiki" AND (uri_path="/wiki/Special:CheckUser" OR message="CheckUser") AND user NOT IN [authorized_admin_list]

📊 Metadata

CVE ID: CVE-2024-40597

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: July 7, 2024

Last Updated: June 17, 2025

🔗 References

https://phabricator.wikimedia.org/T326865 Issue Tracking,Vendor Advisory
https://phabricator.wikimedia.org/T326865 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40597, you might also want to check these: