CVE-2025-61643

N/A Unknown
Denial of Service

📋 TL;DR

This vulnerability in MediaWiki's RecentChangeRCFeedNotifier.php allows attackers to execute arbitrary code or cause denial of service through improper input validation. It affects all MediaWiki instances running vulnerable versions that have recent changes feeds enabled. Administrators of MediaWiki installations should prioritize patching.

💻 Affected Systems

Products:
  • Wikimedia Foundation MediaWiki
Versions: MediaWiki versions before 1.39.14, 1.43.4, and 1.44.1
Operating Systems: All operating systems running MediaWiki
Default Config Vulnerable: ⚠️ Yes
Notes: Requires recent changes feed functionality to be enabled, which is common in MediaWiki deployments

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or website defacement

🟠

Likely Case

Denial of service or limited information disclosure through crafted recent changes feed requests

🟢

If Mitigated

Minimal impact if recent changes feeds are disabled or proper input filtering is implemented

🌐 Internet-Facing: HIGH - MediaWiki instances are typically internet-facing and this affects core functionality
🏢 Internal Only: MEDIUM - Internal wikis could still be exploited by authenticated users or through other attack vectors

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Based on the Phabricator ticket, this appears to be an input validation issue that could be exploited without authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.39.14, 1.43.4, or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T403757

Restart Required: No

Instructions:

1. Backup your MediaWiki installation and database. 2. Download the patched version from mediawiki.org. 3. Replace the vulnerable files with patched versions. 4. Run update.php if database schema changes are required.

🔧 Temporary Workarounds

Disable Recent Changes Feeds

all

Temporarily disable the vulnerable recent changes feed functionality

Edit LocalSettings.php and add: $wgRCFeeds = [];

Restrict Access to Recent Changes

all

Limit access to recent changes functionality to trusted users only

Edit LocalSettings.php and configure $wgGroupPermissions to restrict 'recentchanges' rights

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for recent changes feed parameters
  • Deploy a web application firewall (WAF) with rules to block suspicious recent changes requests

🔍 How to Verify

Check if Vulnerable:

Check your MediaWiki version and compare against affected versions. Examine if includes/recentchanges/RecentChangeRCFeedNotifier.php exists in your installation.

Check Version:

Check the bottom of any MediaWiki page or examine includes/DefaultSettings.php for $wgVersion

Verify Fix Applied:

Verify your MediaWiki version is 1.39.14, 1.43.4, 1.44.1 or later. Check that the patched files have been properly deployed.

📡 Detection & Monitoring

Log Indicators:

  • Unusual recent changes feed requests
  • Multiple failed recent changes operations
  • Unexpected PHP errors in recent changes processing

Network Indicators:

  • Abnormal traffic patterns to recent changes endpoints
  • Suspicious parameter values in recent changes API calls

SIEM Query:

source="mediawiki_logs" AND (message="*RecentChangeRCFeedNotifier*" OR message="*recentchanges*error*")

📊 Metadata

CVE ID: CVE-2025-61643
CVSS v3 Score: N/A (Unknown)
Published: February 3, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This