CVE-2025-61639

NameCVE-2025-61639
DescriptionExposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4355-1, DSA-6085-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)bullseye1:1.35.13-1+deb11u2vulnerable
bullseye (security)1:1.35.13-1+deb11u6fixed
bookworm, bookworm (security)1:1.39.17-1~deb12u1fixed
trixie (security), trixie1:1.43.6+dfsg-1~deb13u1fixed
forky, sid1:1.43.6+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisourcebullseye1:1.35.13-1+deb11u5DLA-4355-1
mediawikisourcebookworm1:1.39.17-1~deb12u1DSA-6085-1
mediawikisourcetrixie1:1.43.6+dfsg-1~deb13u1DSA-6085-1
mediawikisource(unstable)1:1.43.5+dfsg-1

Notes

https://phabricator.wikimedia.org/T280413
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193178
Search for package or bug name: Reporting problems