CVE-2025-67482 Overview
CVE-2025-67482 is a vulnerability affecting Wikimedia Foundation's Scribunto extension and the luasandbox library. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua and library.C. The flaw exists in the Lua scripting engine components used by MediaWiki to provide secure execution of Lua scripts within wiki templates.
Critical Impact
This vulnerability could allow an attacker to cause limited availability impact through network-based attack vectors, though exploitation requires high complexity and specific conditions to be present.
Affected Products
- Scribunto: versions before 1.39.16, 1.43.6, 1.44.3, 1.45.1
- luasandbox: versions before commit fea2304f8f6ab30314369a612f4f5b165e68e95a
Discovery Timeline
- 2026-02-03 - CVE CVE-2025-67482 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-67482
Vulnerability Analysis
This vulnerability affects the Lua execution environment within MediaWiki's Scribunto extension and the underlying luasandbox library. The affected components are mwInit.Lua in the LuaCommon engine and library.C in the luasandbox library. These components are responsible for initializing and managing the sandboxed Lua environment that allows wiki administrators and editors to create dynamic content through Lua scripts.
The vulnerability can be exploited over the network, though it requires high attack complexity and specific preconditions to be present. When exploited, the vulnerability has limited impact on availability, with no impact on confidentiality or integrity. The vulnerability appears to be related to improper handling within the Lua sandbox initialization or library loading mechanisms.
Root Cause
The root cause of this vulnerability lies within the Lua execution environment components, specifically in mwInit.Lua and library.C. These files handle the initialization of the Lua sandbox and the loading of libraries within the sandboxed environment. A flaw in these components could potentially allow unexpected behavior that affects system availability under specific conditions. Technical details can be found in the Wikimedia Security Task Summary.
Attack Vector
The attack vector for CVE-2025-67482 is network-based, meaning an attacker does not require local access to exploit this vulnerability. However, exploitation requires high complexity and specific preconditions to be present, making successful attacks more difficult to achieve. The vulnerability does not require user interaction or special privileges, but the limited impact scope means successful exploitation would only affect availability to a limited degree.
The vulnerability mechanism involves the Lua sandbox initialization and library loading components. Specific technical details regarding the exploitation pathway are documented in the Wikimedia security advisory. No verified proof-of-concept code is publicly available for this vulnerability.
Detection Methods for CVE-2025-67482
Indicators of Compromise
- Monitor for unusual Lua script execution patterns or errors in MediaWiki logs
- Check for unexpected resource consumption related to Lua script processing
- Review access logs for suspicious requests targeting wiki pages with heavy Lua template usage
Detection Strategies
- Implement logging for Lua sandbox initialization failures or unexpected behavior
- Monitor MediaWiki error logs for exceptions related to Scribunto or luasandbox components
- Deploy network monitoring to detect unusual traffic patterns targeting wiki infrastructure
Monitoring Recommendations
- Enable verbose logging for Scribunto extension operations
- Set up alerts for abnormal Lua execution times or resource usage
- Monitor system availability metrics for MediaWiki servers running affected versions
How to Mitigate CVE-2025-67482
Immediate Actions Required
- Update Scribunto to version 1.39.16, 1.43.6, 1.44.3, or 1.45.1 depending on your MediaWiki branch
- Update luasandbox to commit fea2304f8f6ab30314369a612f4f5b165e68e95a or later
- Review Wikimedia security advisory at Phabricator T408135 for specific guidance
Patch Information
Patches are available for affected versions of Scribunto and luasandbox. For Scribunto, update to the following patched versions based on your MediaWiki installation:
- MediaWiki 1.39.x: Update to Scribunto 1.39.16
- MediaWiki 1.43.x: Update to Scribunto 1.43.6
- MediaWiki 1.44.x: Update to Scribunto 1.44.3
- MediaWiki 1.45.x: Update to Scribunto 1.45.1
For luasandbox, update to commit fea2304f8f6ab30314369a612f4f5b165e68e95a or any subsequent version. Consult the official Wikimedia security documentation for detailed patch application instructions.
Workarounds
- If immediate patching is not possible, consider temporarily disabling Lua scripting features by disabling the Scribunto extension
- Implement rate limiting on wiki page requests that utilize Lua templates
- Monitor and restrict access to pages with heavy Lua template usage until patches can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
