CVE-2025-6927 Overview
A vulnerability has been identified in Wikimedia Foundation MediaWiki affecting the block list functionality. This security issue is associated with program files includes/specials/pagers/BlockListPager.php and includes/api/ApiQueryBlocks.php, which handle block list pagination and API queries for block information respectively.
Critical Impact
This vulnerability may allow unauthorized information disclosure through the block list pager and API query functionality in MediaWiki installations.
Affected Products
- MediaWiki versions >= 1.42.0 before 1.39.13
- MediaWiki versions before 1.42.7
- MediaWiki versions before 1.43.2
- MediaWiki version 1.44.0
Discovery Timeline
- 2026-02-02 - CVE-2025-6927 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-6927
Vulnerability Analysis
This vulnerability exists within MediaWiki's block management subsystem, specifically in components responsible for displaying and querying user block information. The affected files BlockListPager.php and ApiQueryBlocks.php handle the presentation of blocked user lists and provide API endpoints for querying block data.
The vulnerability appears to be related to information disclosure, where certain block-related data may be exposed to users who should not have access to view this information. The network-based attack vector requires some level of user interaction to exploit, and the potential impact is limited to confidentiality concerns with low severity.
Root Cause
The root cause appears to be related to improper access control or information handling within the block list pager and API query components. The BlockListPager.php file manages how blocked user lists are displayed in MediaWiki's special pages, while ApiQueryBlocks.php provides programmatic access to block information through the MediaWiki API.
Attack Vector
The vulnerability can be exploited over the network, though it requires user interaction to trigger. An attacker could potentially leverage the affected components to access block-related information that should be restricted. The attack complexity is low, but requires specific conditions to be met for successful exploitation.
The vulnerability manifests in the block list pager functionality and API query blocks component. For complete technical details, refer to the Wikimedia Task T397595.
Detection Methods for CVE-2025-6927
Indicators of Compromise
- Unusual or excessive API requests to the ApiQueryBlocks.php endpoint
- Abnormal access patterns to the block list special pages
- Unexpected queries against block-related database tables
Detection Strategies
- Monitor access logs for suspicious patterns targeting /api.php with action=query&list=blocks parameters
- Implement anomaly detection for unusual access to Special:BlockList pages
- Review authentication logs for unauthorized access attempts to administrative block functions
Monitoring Recommendations
- Enable verbose logging for API requests targeting block-related endpoints
- Set up alerts for repeated failed authentication attempts preceding block list access
- Monitor for bulk data extraction attempts through the API query interface
How to Mitigate CVE-2025-6927
Immediate Actions Required
- Upgrade MediaWiki to patched versions: 1.39.13, 1.42.7, or 1.43.2
- Review access logs for any suspicious activity targeting the affected components
- Temporarily restrict access to the ApiQueryBlocks API endpoint if immediate patching is not possible
Patch Information
Wikimedia Foundation has addressed this vulnerability in MediaWiki versions 1.39.13, 1.42.7, and 1.43.2. Administrators should upgrade to these versions or later to remediate the vulnerability. Additional details are available in the Wikimedia Task T397595.
Workarounds
- Restrict access to the Special:BlockList page through MediaWiki's permission system until patching is complete
- Implement rate limiting on API requests to the ApiQueryBlocks endpoint
- Consider temporarily disabling anonymous access to block-related API functions if the risk is deemed significant for your deployment
# Example: Restrict anonymous access to block list API in LocalSettings.php
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = true;
# Apply additional API rate limiting
$wgRateLimits['query']['anon'] = [ 1, 5 ];
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
