CVE-2019-12472

Vulnerability

Details

An incorrect access control vulnerability exists in Wikimedia MediaWiki versions 1.18.0 through 1.32.1. The issue allows bypassing the configured limits on IP range block sizes, defined by the $wgBlockCIDRLimit setting, when using the API's action=block endpoint. The root cause is that the API no longer checked the $wgBlockCIDRLimit configuration before applying a block, while the normal web interface (Special:Block) still enforced the limits [1][2][3].

Exploitation

To exploit this vulnerability, an attacker must have administrator-level access to the wiki, enabling them to make block API calls. No additional authentication bypass is needed. By crafting an API request with an excessively large CIDR range (e.g., /1 or /2), the attacker can block massive swathes of IP addresses, potentially affecting millions of users, including legitimate editors and visitors [3]. This bypass was discovered in production when a bot on ruwikiquote created blocks covering nearly all IPv4 addresses [3].

Impact

Successful exploitation allows an administrator to block an extremely large IP range (far beyond the intended limit, such as /16 for IPv4), effectively denying access to a significant portion of the internet's address space. This can lead to substantial denial of service, affecting many legitimate users. The vulnerability undermines the administrative controls designed to prevent accidental or malicious mass blocking [2][3].

Mitigation

The vulnerability is fixed in MediaWiki versions 1.32.2, 1.31.2, 1.30.2, and 1.27.6 [1]. Users of older versions should upgrade immediately. Note that MediaWiki 1.30 reached end-of-life in December 2018, and 1.27 in June 2019, so these last security releases are critical for unsupported branches [1]. The fix ensures the API checks $wgBlockCIDRLimit before permitting a block [3].