CVE-2025-61647

N/A Unknown
Authentication Bypass

📋 TL;DR

This vulnerability in Wikimedia Foundation's CheckUser extension allows unauthorized access to user information through the UserInfoHandler API endpoint. It affects systems running specific versions of the CheckUser extension where this API handler is exposed. Administrators and users relying on CheckUser functionality are impacted.

💻 Affected Systems

Products:
  • Wikimedia CheckUser Extension
Versions: From commit a3dc1bbcc33acbcca6831d6afaccbb1054c93a57 to 0584eb2ad564648aa3ce9c555dd044dda02b55f4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects MediaWiki installations with CheckUser extension enabled and the specific vulnerable commits. The UserInfoHandler API endpoint is the vulnerable component.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive user data including IP addresses, user agent information, and potentially other metadata that should be restricted to authorized CheckUser administrators.

🟠

Likely Case

Unauthorized users could query user information that should be protected, potentially exposing user privacy data and violating access controls.

🟢

If Mitigated

With proper authentication and authorization controls, the impact would be limited to authorized users only accessing data they're permitted to view.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of the CheckUser API and access to the vulnerable endpoint. The vulnerability appears to be an authorization bypass in the UserInfoHandler.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check commit after 0584eb2ad564648aa3ce9c555dd044dda02b55f4

Vendor Advisory: https://phabricator.wikimedia.org/T399093

Restart Required: No

Instructions:

1. Update CheckUser extension to latest version
2. Verify the fix by checking that commit 0584eb2ad564648aa3ce9c555dd044dda02b55f4 is not present
3. Clear any caches if applicable

🔧 Temporary Workarounds

Disable UserInfoHandler API

all

Temporarily disable the vulnerable API endpoint until patching is complete

Edit LocalSettings.php to remove or comment out CheckUser API configuration

Restrict API Access

all

Implement IP-based restrictions or additional authentication for CheckUser API endpoints

Configure web server (Apache/Nginx) to restrict access to /api.php endpoints

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach the CheckUser API endpoints
  • Enable detailed logging for all CheckUser API requests and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if your CheckUser extension includes commits between a3dc1bbcc33acbcca6831d6afaccbb1054c93a57 and 0584eb2ad564648aa3ce9c555dd044dda02b55f4

Check Version:

git log --oneline | grep -E 'a3dc1bbcc33acbcca6831d6afaccbb1054c93a57|0584eb2ad564648aa3ce9c555dd044dda02b55f4'

Verify Fix Applied:

Verify that your CheckUser extension version is newer than commit 0584eb2ad564648aa3ce9c555dd044dda02b55f4

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /api.php?action=query&meta=userinfo
  • Unexpected user information queries from non-admin accounts
  • Failed authorization attempts on CheckUser endpoints

Network Indicators:

  • Unusual API request patterns to CheckUser endpoints
  • Requests to UserInfoHandler from unexpected IP addresses

SIEM Query:

source="apache_access" OR source="nginx_access" AND (uri="/api.php" AND query="*userinfo*" AND NOT user="admin")

📊 Metadata

CVE ID: CVE-2025-61647
CVSS v3 Score: N/A (Unknown)
Published: February 3, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This