CVE-2025-53625 Overview
CVE-2025-53625 is an information disclosure vulnerability in the DynamicPageList3 extension for MediaWiki. The extension is a reporting tool that lists category members and intersections with various formats and details. Several #dpl parameters leak usernames that administrators have hidden through revision deletion, suppression, or the hideuser block flag. Unauthenticated network attackers can query the extension and recover identities meant to remain confidential. The maintainers fixed the issue in version 3.6.4. The weakness maps to [CWE-359: Exposure of Private Personal Information to an Unauthorized Actor].
Critical Impact
Unauthenticated remote actors can disclose usernames suppressed by oversight, revision deletion, or hideuser blocks, undermining MediaWiki privacy protections.
Affected Products
- DynamicPageList3 extension for MediaWiki versions prior to 3.6.4
- MediaWiki wikis that enable the #dpl parser function via DynamicPageList3
- Public and private wikis relying on revision deletion or hideuser to suppress identities
Discovery Timeline
- 2025-07-10 - CVE-2025-53625 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-53625
Vulnerability Analysis
DynamicPageList3 generates dynamic lists of pages and revisions based on user-supplied #dpl parameters. Several output modes expose author or editor names directly from revision metadata. The pre-patch code did not check whether the associated user was suppressed, revision-deleted, or blocked with the hideuser flag. As a result, queries that requested author information returned the raw username string regardless of visibility state.
In MediaWiki, hidden users represent a sensitive privacy guarantee. Oversighters and stewards apply suppression to remove personally identifying information from public view. The extension bypassed those guarantees, allowing a single crafted wiki page or API request to enumerate suppressed identities at scale.
Root Cause
The extension fetched revision actor data without consulting the visibility bitfield on each revision. The fix in commit a3dae0c89fb4214390c29ceffa23bbe2099986d6 imports MediaWiki\Revision\RevisionRecord into includes/Article.php so that DELETED_USER and SUPPRESSED_USER flags are honored before rendering an author name.
Attack Vector
Exploitation requires only network access to a wiki that hosts the vulnerable extension. An attacker authors a wiki page or sends an API request containing a #dpl invocation with parameters that surface author or editor metadata. The server processes the parser function and returns the hidden username in the rendered output. No authentication, privileges, or user interaction are needed.
{
"name": "DynamicPageList3",
- "version": "3.6.3",
+ "version": "3.6.4",
"author": [
"'''Universal Omega'''",
"Alexia E. Smith",
Source: GitHub commit a3dae0c
use MediaWiki\Context\RequestContext;
use MediaWiki\MediaWikiServices;
+use MediaWiki\Revision\RevisionRecord;
use MediaWiki\Title\Title;
use MediaWiki\User\ActorStore;
use stdClass;
Source: GitHub commit a3dae0c — the patch introduces RevisionRecord so the extension can check deletion and suppression flags before exposing usernames.
Detection Methods for CVE-2025-53625
Indicators of Compromise
- Wiki pages or API requests containing #dpl parser invocations that request author, editor, or addauthor parameters
- Rendered output containing usernames that match accounts blocked with hideuser or suppressed by oversight
- Unexpected creation of pages by anonymous or low-reputation accounts that embed DynamicPageList3 queries targeting deleted revisions
Detection Strategies
- Audit MediaWiki edit history for new or modified pages containing the {{#dpl: parser token combined with author-related parameters such as addauthor, adduser, or addlasteditor
- Compare DynamicPageList3 rendered output against the user_blocks and revision tables to detect leakage of users carrying the hideuser flag or rev_deleted bits
- Review web server access logs for action=parse or action=expandtemplates API calls embedding #dpl syntax from unauthenticated sources
Monitoring Recommendations
- Enable MediaWiki abuse filter rules that flag edits introducing #dpl queries requesting user metadata
- Forward MediaWiki and web server logs to a centralized SIEM for correlation against suppression events recorded by oversighters
- Monitor the installed DynamicPageList3 version reported in Special:Version and alert when the value is below 3.6.4
How to Mitigate CVE-2025-53625
Immediate Actions Required
- Upgrade the DynamicPageList3 extension to version 3.6.4 or later on every MediaWiki instance
- Purge the MediaWiki parser cache after upgrading so previously rendered pages do not continue to expose hidden usernames
- Re-suppress affected accounts if forensic review confirms that hidden identities were rendered into public content
Patch Information
The fix is delivered in DynamicPageList3 3.6.4 via commit a3dae0c89fb4214390c29ceffa23bbe2099986d6. Details are documented in GitHub Security Advisory GHSA-7pgw-q3qp-6pgq and the upstream commit.
Workarounds
- Disable the DynamicPageList3 extension in LocalSettings.php until the upgrade is applied
- Restrict the #dpl parser function through abuse filters that block parameters returning author or editor information
- Remove or revert pages that already contain #dpl queries surfacing hidden usernames, then rebuild affected caches
# Configuration example: disable DynamicPageList3 until patched
# In LocalSettings.php, comment out the extension loader:
# wfLoadExtension( 'DynamicPageList3' );
# After upgrading to 3.6.4, refresh caches:
php maintenance/update.php --quick
php maintenance/rebuildLocalisationCache.php
php maintenance/purgeParserCache.php --age=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
