CVE-2025-53625 Overview
CVE-2025-53625 affects the DynamicPageList3 extension for MediaWiki, a reporting tool that lists category members and intersections. Several #dpl parameters leak usernames that administrators had hidden through revision deletion, suppression, or the hideuser block flag. The flaw exposes identity information that MediaWiki operators explicitly marked as confidential. The maintainers fixed the issue in version 3.6.4. The weakness is categorized under [CWE-359: Exposure of Private Personal Information to an Unauthorized Actor].
Critical Impact
Unauthenticated network attackers can retrieve usernames of suppressed or hidden users by crafting #dpl queries, undermining MediaWiki privacy controls.
Affected Products
- DynamicPageList3 extension for MediaWiki, versions prior to 3.6.4
- MediaWiki wikis using #dpl parser function from DynamicPageList3
- Wiki environments relying on revision deletion, suppression, or hideuser block flag for privacy enforcement
Discovery Timeline
- 2025-07-10 - CVE-2025-53625 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-53625
Vulnerability Analysis
DynamicPageList3 provides the #dpl parser function, which generates page lists with metadata that can include contributor usernames. MediaWiki supports several mechanisms for hiding usernames: revision deletion (RevDel), oversight suppression, and the hideuser block flag. These controls prevent privileged user identities from appearing in standard wiki output.
The extension did not apply these access checks consistently when resolving user-related parameters in #dpl queries. As a result, output that included contributor or author metadata bypassed the visibility filters MediaWiki applies elsewhere. Any visitor able to render a wiki page containing a crafted #dpl invocation could observe the hidden username in the rendered list.
Root Cause
The code path that retrieves and renders author information in includes/Article.php did not consult RevisionRecord visibility flags or the suppression state before emitting usernames. The patch in commit a3dae0c89fb4214390c29ceffa23bbe2099986d6 introduces a use MediaWiki\Revision\RevisionRecord; import so the extension can evaluate revision visibility and omit names belonging to hidden users.
Attack Vector
An attacker requires no authentication and no user interaction. The attacker edits or visits a wiki page that contains a #dpl query referencing parameters that emit user data. The server-rendered output discloses usernames that should have been masked by deletion, suppression, or the hideuser flag.
// Patch in extension.json bumping the fixed version
{
"name": "DynamicPageList3",
- "version": "3.6.3",
+ "version": "3.6.4",
"author": [
"'''Universal Omega'''",
"Alexia E. Smith",
Source: GitHub Commit a3dae0c
// includes/Article.php now imports RevisionRecord to honor visibility flags
use MediaWiki\Context\RequestContext;
use MediaWiki\MediaWikiServices;
+use MediaWiki\Revision\RevisionRecord;
use MediaWiki\Title\Title;
use MediaWiki\User\ActorStore;
use stdClass;
Source: GitHub Commit a3dae0c
Detection Methods for CVE-2025-53625
Indicators of Compromise
- Wiki pages containing #dpl invocations that request author, user, or contributor fields against revisions known to be RevDel'd or suppressed
- Rendered pages displaying usernames of accounts blocked with the hideuser flag
- Access logs showing repeated requests to pages that include #dpl queries targeting suppressed revision ranges
Detection Strategies
- Inventory installed MediaWiki extensions and flag any DynamicPageList3 instance below version 3.6.4
- Search wiki content for #dpl parser function usage and review parameters that return user metadata
- Compare rendered output for sample #dpl queries against the list of suppressed or hidden accounts maintained by oversight staff
Monitoring Recommendations
- Audit MediaWiki Special:Log/suppress and Special:Log/block entries alongside web server logs for pages that surface the affected usernames
- Forward MediaWiki application and access logs to a central log platform for retrospective queries against #dpl-related requests
- Track new edits introducing #dpl templates on wikis where oversight or hideuser actions have been performed
How to Mitigate CVE-2025-53625
Immediate Actions Required
- Upgrade DynamicPageList3 to version 3.6.4 or later on every MediaWiki instance where the extension is installed
- Review historical wiki content for #dpl queries that may have already disclosed hidden usernames and purge cached page renderings
- Notify oversight and privacy stakeholders if suppressed identities may have been exposed prior to remediation
Patch Information
The fix is delivered in DynamicPageList3 3.6.4 via commit a3dae0c89fb4214390c29ceffa23bbe2099986d6. Details are documented in the GitHub Security Advisory GHSA-7pgw-q3qp-6pgq and the upstream commit.
Workarounds
- Disable the DynamicPageList3 extension in LocalSettings.php until the upgrade can be deployed
- Restrict use of the #dpl parser function to trusted namespaces or protect pages that invoke it
- Purge MediaWiki parser cache after upgrading so previously rendered pages no longer expose hidden usernames
# Upgrade DynamicPageList3 inside a MediaWiki installation
cd /var/www/mediawiki/extensions/DynamicPageList3
git fetch --tags
git checkout v3.6.4
php /var/www/mediawiki/maintenance/update.php --quick
php /var/www/mediawiki/maintenance/purgeParserCache.php --age=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
