CVE-2025-67480 – This vulnerability in MediaWiki's API query rev... (How to Fix)

Q: What is the severity of CVE-2025-67480?

CVE-2025-67480 has a CVSS score of N/A (Unknown). This vulnerability in MediaWiki's API query revisions base component could allow attackers to access or manipulate revision data improperly. It affects all MediaWiki installations running affected versions, potentially exposing sensitive edit history or metadata.

📋 TL;DR

This vulnerability in MediaWiki's API query revisions base component could allow attackers to access or manipulate revision data improperly. It affects all MediaWiki installations running affected versions, potentially exposing sensitive edit history or metadata.

💻 Affected Systems

Products:

Wikimedia Foundation MediaWiki

Versions: MediaWiki versions before 1.39.16, 1.43.6, 1.44.3, 1.45.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the includes/Api/ApiQueryRevisionsBase.php file in MediaWiki installations.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive revision data, potential information disclosure of private edits or metadata, or manipulation of revision history.

🟠

Likely Case

Information disclosure of revision metadata or limited data exposure through API queries.

🟢

If Mitigated

Minimal impact with proper access controls and API restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation likely requires some API knowledge but no public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.39.16, 1.43.6, 1.44.3, or 1.45.1

Vendor Advisory: https://phabricator.wikimedia.org/T401053

Restart Required: No

Instructions:

1. Backup your MediaWiki installation and database. 2. Update MediaWiki to version 1.39.16, 1.43.6, 1.44.3, or 1.45.1 depending on your current branch. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict API Access

all

Limit access to the revisions API endpoints through web server configuration or MediaWiki permissions.

# Example Apache restriction for API endpoints
<Location "/w/api.php">
    Require ip 192.168.1.0/24
</Location>

🧯 If You Can't Patch

Implement strict access controls to limit who can query revision data through the API.
Monitor API logs for unusual revision query patterns or unauthorized access attempts.

🔍 How to Verify

Check if Vulnerable:

Check your MediaWiki version and compare against affected versions. Examine includes/Api/ApiQueryRevisionsBase.php file modification dates.

Check Version:

grep 'wgVersion' LocalSettings.php

Verify Fix Applied:

Confirm MediaWiki version is 1.39.16, 1.43.6, 1.44.3, or 1.45.1. Verify the includes/Api/ApiQueryRevisionsBase.php file has been updated.

📡 Detection & Monitoring

Log Indicators:

Unusual API query patterns for revision data
Multiple failed revision API requests
Revision queries from unexpected IP addresses

Network Indicators:

Abnormal traffic to /w/api.php endpoint with revision parameters
Increased API request volume

SIEM Query:

source="mediawiki.logs" AND (api_query="revisions" OR path="/w/api.php") AND status="200" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-67480

CVSS v3 Score: N/A (Unknown)

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T401053