CVE-2025-61649

N/A Unknown

📋 TL;DR

This vulnerability in Wikimedia Foundation's CheckUser extension allows unauthorized access to user information. It affects systems running CheckUser from commit 7cedd58781d261f110651b6af4f41d2d11ae7309 onward. Wikimedia administrators and users with CheckUser access are primarily affected.

💻 Affected Systems

Products:
  • Wikimedia CheckUser extension
Versions: From commit 7cedd58781d261f110651b6af4f41d2d11ae7309 onward
Operating Systems: Any OS running MediaWiki with CheckUser
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations where CheckUser extension is enabled and configured. The vulnerability is in src/Services/CheckUserUserInfoCardService.php.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized disclosure of sensitive user data including IP addresses, user agent information, and potentially other metadata that should be restricted to authorized CheckUser administrators.

🟠

Likely Case

Privileged information leakage where users without proper authorization can access CheckUser data, compromising user privacy and violating access controls.

🟢

If Mitigated

Limited impact if proper authentication and authorization controls are enforced, though the vulnerability still represents a privilege escalation risk.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires some level of access, internet-facing MediaWiki instances with CheckUser enabled are at risk if attackers gain initial access.
🏢 Internal Only: HIGH - Internal users with any level of access could potentially exploit this to escalate privileges and access sensitive user information.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation likely requires some level of access to the MediaWiki instance. The vulnerability appears to be an authorization bypass rather than unauthenticated access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check commit after 7cedd58781d261f110651b6af4f41d2d11ae7309

Vendor Advisory: https://phabricator.wikimedia.org/T397396

Restart Required: No

Instructions:

1. Update CheckUser extension to latest version. 2. Apply security patch from Wikimedia repository. 3. Clear MediaWiki cache. 4. Verify authorization controls are functioning properly.

🔧 Temporary Workarounds

Disable CheckUser extension

all

Temporarily disable the CheckUser extension to prevent exploitation while awaiting patch

Edit LocalSettings.php and comment out wfLoadExtension('CheckUser');

Restrict access to CheckUser

all

Tighten access controls and limit CheckUser permissions to essential administrators only

Update $wgGroupPermissions in LocalSettings.php to restrict 'checkuser' permission

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate MediaWiki instances
  • Enable detailed logging and monitoring for CheckUser access patterns

🔍 How to Verify

Check if Vulnerable:

Check if CheckUser extension is enabled and if the commit hash is 7cedd58781d261f110651b6af4f41d2d11ae7309 or later

Check Version:

Check git log for CheckUser extension or examine extension version in MediaWiki

Verify Fix Applied:

Test CheckUser functionality with non-administrator accounts to ensure proper authorization controls

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to CheckUser endpoints
  • Unusual CheckUser queries from non-administrator accounts

Network Indicators:

  • Requests to /w/index.php?title=Special:CheckUser or similar CheckUser endpoints

SIEM Query:

source="mediawiki.log" AND ("CheckUser" OR "Special:CheckUser") AND NOT user_group="sysop"

📊 Metadata

CVE ID: CVE-2025-61649
CVSS v3 Score: N/A (Unknown)
Published: February 3, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This