CVE-2025-61634

N/A Unknown

📋 TL;DR

This vulnerability in MediaWiki's PageHTMLHandler.php allows attackers to execute unauthorized actions through the REST API. It affects all MediaWiki instances running vulnerable versions, potentially compromising wiki content integrity. The vulnerability stems from improper input validation in the page HTML rendering endpoint.

💻 Affected Systems

Products:
  • Wikimedia Foundation MediaWiki
Versions: MediaWiki versions before 1.39.14, 1.43.4, and 1.44.1
Operating Systems: All operating systems running MediaWiki
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all MediaWiki installations with REST API enabled (default configuration).

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify or delete wiki pages, inject malicious content, or potentially escalate privileges through the REST API interface.

🟠

Likely Case

Unauthorized content modification or injection of malicious scripts into wiki pages accessible to users.

🟢

If Mitigated

Limited impact with proper API access controls and input validation in place, though the vulnerability still exists at the code level.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of MediaWiki's REST API structure and authentication mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.39.14, 1.43.4, or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T387478

Restart Required: No

Instructions:

1. Backup your MediaWiki installation and database. 2. Update MediaWiki to version 1.39.14, 1.43.4, or 1.44.1 depending on your current branch. 3. Verify the update completed successfully. 4. Test core functionality.

🔧 Temporary Workarounds

Disable REST API endpoint

all

Temporarily disable the vulnerable PageHTMLHandler REST endpoint

Edit LocalSettings.php and add: $wgRestAPIAdditionalRoutes = [];

Restrict API access

all

Limit REST API access to trusted IP addresses only

Edit LocalSettings.php and add appropriate $wgRestAPIAdditionalRoutes restrictions

🧯 If You Can't Patch

  • Implement strict network access controls to limit REST API access to trusted sources only
  • Enable detailed logging of all REST API requests and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version in includes/DefaultSettings.php or via Special:Version page

Check Version:

grep 'wgVersion' includes/DefaultSettings.php

Verify Fix Applied:

Verify version is 1.39.14, 1.43.4, or 1.44.1 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual REST API requests to PageHTMLHandler endpoint
  • Multiple failed authentication attempts followed by successful API calls
  • Unexpected page modifications via API

Network Indicators:

  • Unusual traffic patterns to /rest.php/page/html endpoint
  • API requests from unexpected IP addresses or user agents

SIEM Query:

source="mediawiki.log" AND ("PageHTMLHandler" OR "/rest.php/page/html") AND (status="200" OR "POST")

📊 Metadata

CVE ID: CVE-2025-61634
CVSS v3 Score: N/A (Unknown)
Published: February 3, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This