CVE-2025-61658

N/A Unknown

📋 TL;DR

This vulnerability in Wikimedia Foundation's CheckUser extension allows unauthorized access to sensitive user contribution data. It affects administrators and users of MediaWiki installations running vulnerable CheckUser versions. The issue stems from improper access control in GlobalContributionsPager.php.

💻 Affected Systems

Products:

• Wikimedia CheckUser extension

Versions: CheckUser versions before 1.43.4 and 1.44.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects MediaWiki installations with CheckUser extension enabled. The vulnerability is in the GlobalContributionsPager.php file.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could access detailed contribution history of any user, potentially exposing sensitive editing patterns, IP addresses, and user behavior data.

🟠

Likely Case

Privilege escalation allowing users with limited permissions to access CheckUser functionality they shouldn't have access to.

🟢

If Mitigated

Limited exposure if proper access controls and network segmentation are in place, restricting access to authorized administrators only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation likely requires some level of access to the MediaWiki instance. The vulnerability appears to be an access control bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CheckUser 1.43.4 or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T404805

Restart Required: No

Instructions:

1. Update CheckUser extension to version 1.43.4 or 1.44.1. 2. For MediaWiki installations: a) Download updated extension from official repository. b) Replace existing CheckUser files. c) Clear MediaWiki cache if necessary.

🔧 Temporary Workarounds

Disable CheckUser extension

all

Temporarily disable the vulnerable CheckUser extension until patching is possible

Copy

Edit LocalSettings.php and comment out or remove: wfLoadExtension('CheckUser');

Restrict access to CheckUser

all

Limit CheckUser functionality to trusted administrators only

Copy

In LocalSettings.php add: $wgGroupPermissions['*']['checkuser'] = false; $wgGroupPermissions['sysop']['checkuser'] = true;

🧯 If You Can't Patch

• Implement strict network access controls to limit who can access the MediaWiki instance
• Enable detailed logging and monitoring of CheckUser functionality usage

🔍 How to Verify

Check if Vulnerable:

Copy

Check CheckUser extension version in MediaWiki's extension directory or via Special:Version page

Check Version:

Copy

grep -r 'CheckUser' /path/to/mediawiki/extensions/CheckUser/extension.json | grep version

Verify Fix Applied:

Copy

Verify CheckUser extension version is 1.43.4 or higher, or 1.44.1 or higher

📡 Detection & Monitoring

Log Indicators:

• Unauthorized access attempts to CheckUser functionality
• Unexpected user queries to GlobalContributions

Network Indicators:

• Unusual traffic patterns to CheckUser-related endpoints

SIEM Query:

Copy

source="mediawiki.log" AND ("CheckUser" OR "GlobalContributions") AND user!="authorized_admin_user"

📊 Metadata

CVE ID: CVE-2025-61658

CVSS v3 Score: N/A (Unknown)

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

• https://phabricator.wikimedia.org/T404805

📤 Share This

Twitter LinkedIn Reddit Copy Link