CVE-2025-67478 – This vulnerability in Wikimedia Foundation's Ch... (How to Fix)

Q: What is the severity of CVE-2025-67478?

CVE-2025-67478 has a CVSS score of N/A (Unknown). This vulnerability in Wikimedia Foundation's CheckUser extension allows attackers to potentially execute unauthorized actions through the Mail/UserMailer.php component. It affects all Wikimedia installations running vulnerable CheckUser versions. The exact impact depends on configuration and access levels.

📋 TL;DR

This vulnerability in Wikimedia Foundation's CheckUser extension allows attackers to potentially execute unauthorized actions through the Mail/UserMailer.php component. It affects all Wikimedia installations running vulnerable CheckUser versions. The exact impact depends on configuration and access levels.

💻 Affected Systems

Products:

Wikimedia CheckUser Extension

Versions: Before 1.39.14, 1.43.4, 1.44.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Wikimedia installations using CheckUser extension

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated remote code execution leading to complete system compromise and data exfiltration

🟠

Likely Case

Privilege escalation or unauthorized access to user data through CheckUser functionality

🟢

If Mitigated

Limited impact if proper access controls and input validation are in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation likely requires some level of access to the system

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.39.14, 1.43.4, or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T385403

Restart Required: No

Instructions:

1. Backup your current installation. 2. Update CheckUser extension to version 1.39.14, 1.43.4, or 1.44.1. 3. Verify the update was successful. 4. Clear any caches if applicable.

🔧 Temporary Workarounds

Disable CheckUser Extension

all

Temporarily disable the CheckUser extension until patching is possible

Edit LocalSettings.php and remove or comment out wfLoadExtension('CheckUser');

Restrict Access to CheckUser

all

Limit CheckUser functionality to trusted administrators only

Edit LocalSettings.php to add: $wgGroupPermissions['sysop']['checkuser'] = true;

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Enhance monitoring and logging for CheckUser-related activities

🔍 How to Verify

Check if Vulnerable:

Check the CheckUser extension version in your MediaWiki installation

Check Version:

Check the version in the extension's extension.json file or via MediaWiki Special:Version page

Verify Fix Applied:

Verify that CheckUser extension version is 1.39.14, 1.43.4, or 1.44.1 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual CheckUser queries
Unexpected mail-related activities
Unauthorized access attempts to CheckUser functionality

Network Indicators:

Suspicious requests to Mail/UserMailer.php endpoints
Unusual outbound connections from the MediaWiki server

SIEM Query:

source="mediawiki" AND (uri_path="*Mail/UserMailer.php*" OR message="*CheckUser*")

📊 Metadata

CVE ID: CVE-2025-67478

CVSS v3 Score: N/A (Unknown)

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T385403