CVE-2019-12473
Description
Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki 1.27.0 through 1.32.1 allows denial of service via API calls with invalid titles, causing full watchlist table scans.
Vulnerability
CVE-2019-12473 is a denial of service vulnerability in Wikimedia MediaWiki versions 1.27.0 through 1.32.1. The root cause is that the API does not properly validate titles passed in requests, allowing an attacker to trigger a heavy database query on the entire watchlist table [1][2].
Exploitation
An attacker can exploit this by sending crafted API requests with invalid or malformed titles. This causes the server to execute a slow query that groups and counts watchlist entries, consuming significant database resources and potentially leading to a denial of service [3]. The attack does not require authentication, as the API endpoint is accessible to unauthenticated users.
Impact
Successful exploitation can make the MediaWiki instance unresponsive, affecting legitimate users. The Phabricator task notes that the query was killing performance on production wikis, requiring a query killer to mitigate [3].
Mitigation
The vulnerability is fixed in MediaWiki 1.32.2, 1.31.2, 1.30.2, and 1.27.6 [2]. Debian also released a security update for the stable distribution [4]. Users should upgrade to the patched versions or apply the provided patches.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.27.0, < 1.27.6 | 1.27.6 |
mediawiki/corePackagist | >= 1.30.0, < 1.30.2 | 1.30.2 |
mediawiki/corePackagist | >= 1.31.0, < 1.31.2 | 1.31.2 |
mediawiki/corePackagist | >= 1.32.0, < 1.32.2 | 1.32.2 |
Affected products
2- Wikimedia/MediaWikidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-33xw-x3pr-rvqjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12473ghsaADVISORY
- www.debian.org/security/2019/dsa-4460ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-12473.yamlghsaWEB
- lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.htmlghsax_refsource_CONFIRMWEB
- phabricator.wikimedia.org/T204729ghsax_refsource_MISCWEB
- seclists.org/bugtraq/2019/Jun/12ghsamailing-listx_refsource_BUGTRAQWEB
News mentions
0No linked articles in our index yet.