CVE-2025-61766
📋 TL;DR
The Bucket MediaWiki extension prior to version 1.0.0 contains an infinite recursion vulnerability when using the '!=' comparator in queries. This causes PHP call stack exhaustion and excessive memory consumption, leading to denial of service. Any MediaWiki installation using the vulnerable Bucket extension is affected.
💻 Affected Systems
- Bucket MediaWiki extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, potentially affecting all users of the MediaWiki instance.
Likely Case
Partial or intermittent denial of service affecting users attempting to query buckets with the vulnerable comparator.
If Mitigated
Minimal impact if the vulnerable comparator is not used in queries or if resource limits prevent complete exhaustion.
🎯 Exploit Status
Exploitation requires ability to query buckets using the '!=' comparator, which typically requires some level of access to the MediaWiki instance.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0
Vendor Advisory: https://github.com/weirdgloop/mediawiki-extensions-Bucket/security/advisories/GHSA-r9f2-4jh3-659j
Restart Required: No
Instructions:
1. Update the Bucket extension to version 1.0.0 or later. 2. For MediaWiki installations using Composer: run 'composer update weirdgloop/mediawiki-extensions-bucket'. 3. For manual installations: replace the extension files with the patched version from GitHub.
🔧 Temporary Workarounds
Disable Bucket extension
allTemporarily disable the Bucket extension to prevent exploitation while planning upgrade.
Remove or comment out 'wfLoadExtension('Bucket');' from LocalSettings.php
Restrict query access
allLimit user permissions to prevent use of bucket queries with '!=' comparator.
Adjust MediaWiki user rights to restrict 'bucket-query' permission
🧯 If You Can't Patch
- Implement rate limiting on bucket queries to prevent resource exhaustion
- Monitor PHP memory usage and call stack depth for abnormal patterns
🔍 How to Verify
Check if Vulnerable:
Check the Bucket extension version in MediaWiki's extension directory or via Composer.Check Version:
For Composer: 'composer show weirdgloop/mediawiki-extensions-bucket'. For manual install: check the extension.json file for version number.Verify Fix Applied:
Verify the extension version is 1.0.0 or later and test bucket queries with '!=' comparator no longer cause recursion.📡 Detection & Monitoring
Log Indicators:
- PHP fatal errors for maximum function nesting level exceeded
- High memory usage spikes in PHP logs
- Repeated bucket query failures
Network Indicators:
- Increased response times for MediaWiki queries
- HTTP 500 errors on bucket-related requests
SIEM Query:
source="php_error.log" AND ("Maximum function nesting level" OR "Allowed memory size") AND "Bucket"🔗 References
- https://github.com/weirdgloop/mediawiki-extensions-Bucket/blob/ad704120a1660b5929fb5825db1cf85c9c77acf4/includes/Expression/MemberOfExpression.php#L34
- https://github.com/weirdgloop/mediawiki-extensions-Bucket/commit/6f4a71d531cb802cdb991d2a4ca7bf8fb691defd
- https://github.com/weirdgloop/mediawiki-extensions-Bucket/security/advisories/GHSA-r9f2-4jh3-659j
