CVE-2025-61641 – This vulnerability in MediaWiki's ApiQueryAllPa... (How to Fix)

Q: What is the severity of CVE-2025-61641?

CVE-2025-61641 has a CVSS score of N/A (Unknown). This vulnerability in MediaWiki's ApiQueryAllPages.php allows attackers to potentially access or manipulate page data through the API. It affects MediaWiki instances running vulnerable versions, particularly those exposed to untrusted users. The exact impact depends on the specific vulnerability details not fully disclosed in the reference.

📋 TL;DR

This vulnerability in MediaWiki's ApiQueryAllPages.php allows attackers to potentially access or manipulate page data through the API. It affects MediaWiki instances running vulnerable versions, particularly those exposed to untrusted users. The exact impact depends on the specific vulnerability details not fully disclosed in the reference.

💻 Affected Systems

Products:

Wikimedia Foundation MediaWiki

Versions: MediaWiki before 1.39.14, 1.43.4, 1.44.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the ApiQueryAllPages.php component specifically. All MediaWiki installations using vulnerable versions are affected regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive page content, data manipulation, or potential privilege escalation through API abuse.

🟠

Likely Case

Information disclosure of non-public page data or limited data manipulation through API parameters.

🟢

If Mitigated

Minimal impact if proper access controls and API rate limiting are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation likely requires some understanding of MediaWiki API structure. No public exploit details available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.39.14, 1.43.4, or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T298690

Restart Required: No

Instructions:

1. Backup your MediaWiki installation and database. 2. Download and install the patched version from mediawiki.org. 3. Run update.php if database schema changes are required. 4. Verify the installation is functioning correctly.

🔧 Temporary Workarounds

Restrict API Access

all

Limit access to the ApiQueryAllPages endpoint using web server rules or MediaWiki permissions.

# Example Apache mod_rewrite rule to block specific API endpoint
RewriteEngine On
RewriteRule ^api.php.*action=query.*list=allpages - [F]

Disable API Module

all

Temporarily disable the affected API module via LocalSettings.php.

# Add to LocalSettings.php
$wgAPIListModules['allpages'] = false;

🧯 If You Can't Patch

Implement strict access controls to limit who can use the MediaWiki API
Monitor API logs for unusual query patterns targeting the allpages endpoint

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version in includes/DefaultSettings.php or via Special:Version page. If version is before 1.39.14, 1.43.4, or 1.44.1, the system is vulnerable.

Check Version:

grep 'wgVersion' includes/DefaultSettings.php

Verify Fix Applied:

Verify the version is 1.39.14, 1.43.4, 1.44.1 or later via Special:Version or includes/DefaultSettings.php.

📡 Detection & Monitoring

Log Indicators:

Unusual API queries to api.php with action=query and list=allpages parameters
High volume of requests to the allpages API endpoint

Network Indicators:

Abnormal patterns in API request traffic
Requests with malformed parameters to api.php

SIEM Query:

source="mediawiki_logs" AND (uri_path="/api.php" AND query_string CONTAINS "list=allpages")

📊 Metadata

CVE ID: CVE-2025-61641

CVSS v3 Score: N/A (Unknown)

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T298690