CVE-2025-61653 – This vulnerability in Wikimedia Foundation's Te... (How to Fix)

Q: What is the severity of CVE-2025-61653?

CVE-2025-61653 has a CVSS score of N/A (Unknown). This vulnerability in Wikimedia Foundation's TextExtracts extension allows attackers to execute arbitrary code or access sensitive data through improper input validation in the API query handler. It affects MediaWiki installations using TextExtracts before specific patched versions. Administrators of MediaWiki sites with this extension enabled are affected.

📋 TL;DR

This vulnerability in Wikimedia Foundation's TextExtracts extension allows attackers to execute arbitrary code or access sensitive data through improper input validation in the API query handler. It affects MediaWiki installations using TextExtracts before specific patched versions. Administrators of MediaWiki sites with this extension enabled are affected.

💻 Affected Systems

Products:

MediaWiki TextExtracts extension

Versions: TextExtracts before 1.39.14, before 1.43.4, before 1.44.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects MediaWiki installations with TextExtracts extension enabled.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Information disclosure or limited server-side code execution affecting the MediaWiki instance.

🟢

If Mitigated

Limited impact if proper input validation and security controls are implemented at the web application layer.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Based on the Phabricator ticket, this appears to be an input validation issue that could be exploited via API requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: TextExtracts 1.39.14, 1.43.4, or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T397577

Restart Required: No

Instructions:

1. Update MediaWiki to a supported version. 2. Update TextExtracts extension to patched version. 3. Clear MediaWiki cache if needed.

🔧 Temporary Workarounds

Disable TextExtracts Extension

all

Temporarily disable the vulnerable extension until patching is possible.

Edit LocalSettings.php and add: wfLoadExtension('TextExtracts'); // Comment out or remove this line

🧯 If You Can't Patch

Implement strict input validation at the web application firewall level
Restrict API access to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check TextExtracts version in MediaWiki's extension directory or via Special:Version page.

Check Version:

grep -r 'version' /path/to/mediawiki/extensions/TextExtracts/extension.json

Verify Fix Applied:

Confirm TextExtracts version is 1.39.14, 1.43.4, or 1.44.1 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual API query patterns to ApiQueryExtracts endpoint
Error messages related to input validation failures

Network Indicators:

Abnormal requests to /w/api.php with action=query&prop=extracts parameters

SIEM Query:

source="mediawiki.log" AND "ApiQueryExtracts" AND (error OR exception)

📊 Metadata

CVE ID: CVE-2025-61653

CVSS v3 Score: N/A (Unknown)

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T397577