CVE-2025-67482 – This vulnerability in Wikimedia's Scribunto ext... (How to Fix)

Q: What is the severity of CVE-2025-67482?

CVE-2025-67482 has a CVSS score of N/A (Unknown). This vulnerability in Wikimedia's Scribunto extension and luasandbox library allows attackers to execute arbitrary Lua code within the context of the MediaWiki application. It affects all MediaWiki installations using vulnerable versions of Scribunto. Attackers with edit permissions could exploit this to compromise the wiki server.

📋 TL;DR

This vulnerability in Wikimedia's Scribunto extension and luasandbox library allows attackers to execute arbitrary Lua code within the context of the MediaWiki application. It affects all MediaWiki installations using vulnerable versions of Scribunto. Attackers with edit permissions could exploit this to compromise the wiki server.

💻 Affected Systems

Products:

Wikimedia Scribunto
Wikimedia luasandbox

Versions: Scribunto: before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: before fea2304f8f6ab30314369a612f4f5b165e68e95a

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects MediaWiki installations with Scribunto extension enabled.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Privileged users with edit rights could execute arbitrary Lua code, potentially accessing sensitive data or modifying wiki content.

🟢

If Mitigated

With proper access controls limiting edit permissions, impact is reduced to authorized users only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires edit permissions on the wiki. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Scribunto: 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: fea2304f8f6ab30314369a612f4f5b165e68e95a or later

Vendor Advisory: https://phabricator.wikimedia.org/T408135

Restart Required: Yes

Instructions:

1. Update Scribunto extension to patched version. 2. Update luasandbox library. 3. Restart MediaWiki services. 4. Clear any Lua module caches.

🔧 Temporary Workarounds

Disable Scribunto Extension

all

Temporarily disable the Scribunto extension to prevent exploitation.

Edit LocalSettings.php and add: $wgEnableScribunto = false;

Restrict Edit Permissions

all

Tighten user permissions to limit who can edit pages with Lua modules.

Configure $wgGroupPermissions in LocalSettings.php to restrict edit rights

🧯 If You Can't Patch

Implement strict access controls to limit edit permissions to trusted users only.
Monitor logs for suspicious Lua module execution or unauthorized edit attempts.

🔍 How to Verify

Check if Vulnerable:

Check Scribunto extension version in MediaWiki Special:Version page or examine includes/Engines/LuaCommon/lualib/mwInit.Lua file version.

Check Version:

php maintenance/run.php includes/Engines/LuaCommon/lualib/mwInit.Lua --version

Verify Fix Applied:

Confirm Scribunto version is 1.39.16, 1.43.6, 1.44.3, 1.45.1 or later via Special:Version.

📡 Detection & Monitoring

Log Indicators:

Unusual Lua module execution patterns
Multiple failed edit attempts on Lua modules
Suspicious user agent strings in edit logs

Network Indicators:

Unusual outbound connections from MediaWiki server post-edit

SIEM Query:

source="mediawiki.log" AND ("Scribunto" OR "Lua") AND ("error" OR "exception")

📊 Metadata

CVE ID: CVE-2025-67482

CVSS v3 Score: N/A (Unknown)

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T408135