Nixpkgs security tracker

Dismissed

Permalink CVE-2025-6590

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 3 weeks ago
@LeSuisse dismissed 2 months, 3 weeks ago

Complete content leak of private wikis due to PasswordReset Wikitext injection in error message

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0.

References

https://phabricator.wikimedia.org/T392746

Affected products

MediaWiki

=<1.39.12, 1.42.76 1.43.1, 1.44.0

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0
nixos-25.11 -
- nixos-25.11-small 1.44.2
- nixpkgs-25.11-darwin 1.44.2

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@astro Astro <astro@spaceboyz.net>

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers