CVE-2025-11173 Overview
A vulnerability has been identified in the Wikimedia Foundation OATHAuth extension, specifically within the src/Special/OATHManage.Php file. This component is responsible for managing two-factor authentication (2FA) operations in MediaWiki installations using the OATHAuth extension. Organizations running affected versions should review their deployments and apply appropriate updates.
Critical Impact
Vulnerability in OATHAuth authentication management component affecting multiple MediaWiki versions prior to 1.39.14, 1.43.4, and 1.44.1.
Affected Products
- OATHAuth versions prior to 1.39.14
- OATHAuth versions prior to 1.43.4
- OATHAuth versions prior to 1.44.1
Discovery Timeline
- 2026-02-03 - CVE CVE-2025-11173 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-11173
Vulnerability Analysis
The vulnerability exists within the OATHAuth extension for MediaWiki, specifically in the OATHManage.Php special page handler. OATHAuth provides OATH-based two-factor authentication capabilities for MediaWiki installations, allowing users to add an additional layer of security to their accounts through time-based one-time passwords (TOTP).
The affected file src/Special/OATHManage.Php handles the management interface for OATH authentication tokens. While the precise technical details of the vulnerability mechanism are not fully disclosed in the public advisories, the issue appears to involve the special page's handling of authentication-related operations.
Root Cause
The root cause of this vulnerability is located in the OATHManage.Php special page implementation. Based on the affected component path and the nature of the OATHAuth extension, the issue likely involves improper handling within the authentication management workflow. The vulnerability was tracked internally by Wikimedia through their Phabricator issue tracking system under tasks T401862 and T402094.
Attack Vector
The vulnerability is accessible via network-based attack vectors, meaning remote attackers could potentially interact with the affected component without requiring local system access. The OATHManage special page is typically accessible to authenticated users managing their two-factor authentication settings.
Since no verified code examples are available for this vulnerability, technical details should be referenced from the official Wikimedia Phabricator tasks linked in the external references section.
Detection Methods for CVE-2025-11173
Indicators of Compromise
- Unusual activity patterns in OATHAuth management page access logs
- Unexpected modifications to user OATH authentication configurations
- Anomalous requests to the Special:OATHManage endpoint
Detection Strategies
- Monitor web server access logs for suspicious requests targeting Special:OATHManage or related OATHAuth endpoints
- Review MediaWiki audit logs for unexpected changes to two-factor authentication settings
- Implement web application firewall (WAF) rules to detect and alert on unusual parameter patterns in requests to the OATHManage special page
Monitoring Recommendations
- Enable verbose logging for the OATHAuth extension to capture detailed activity records
- Set up alerts for multiple failed or unusual OATH management operations within short time windows
- Regularly audit user authentication configuration changes through MediaWiki's logging infrastructure
How to Mitigate CVE-2025-11173
Immediate Actions Required
- Update OATHAuth to version 1.39.14, 1.43.4, or 1.44.1 or later depending on your MediaWiki branch
- Review recent activity on the OATHManage special page for any suspicious operations
- Audit user OATH configurations for unauthorized changes
Patch Information
Wikimedia Foundation has released patched versions of the OATHAuth extension that address this vulnerability. The fix is included in OATHAuth versions 1.39.14, 1.43.4, and 1.44.1. Users should update to the appropriate version based on their MediaWiki installation branch. For detailed patch information, refer to the Wikimedia Phabricator tasks T401862 and T402094.
Workarounds
- If immediate patching is not possible, consider temporarily restricting access to the Special:OATHManage page through MediaWiki permission settings
- Implement additional access controls at the web server level to limit who can access OATHAuth management endpoints
- Monitor OATHAuth-related activity closely until the update can be applied
# Example: Restrict access to OATHManage in LocalSettings.php
# Add to your MediaWiki LocalSettings.php to limit access
$wgGroupPermissions['*']['oathauth-enable'] = false;
$wgGroupPermissions['user']['oathauth-enable'] = false;
$wgGroupPermissions['sysop']['oathauth-enable'] = true;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
