CVE-2020-25813
Description
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki Special:UserRights revealed existence of hidden users to viewers lacking the hideuser right, leaking sensitive information.
In MediaWiki, hidden users are designed to be invisible to most users to protect their identity. However, the Special:UserRights page listed hidden users without checking the viewer's 'hideuser' permission, thereby exposing their existence [1][2]. This vulnerability affects versions before 1.31.10 and 1.32.x through 1.34.x before 1.34.4.
An attacker can exploit this by simply accessing the Special:UserRights page. No special privileges are required to view the list of users, including hidden ones [2]. The attack surface is trivial: any user, even without advanced rights, can discover the presence of hidden users.
The impact is information disclosure: an adversary learns that certain users are hidden, which may indicate that these accounts are monitored or privileged. While no direct data like passwords is leaked, this knowledge can facilitate targeted attacks or social engineering against sensitive users [1][2].
The issue is patched in MediaWiki 1.31.10 and 1.34.4. Users should upgrade to these or later versions. No workaround is documented [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.31.0, < 1.31.9 | 1.31.9 |
mediawiki/corePackagist | >= 1.32.0, < 1.34.3 | 1.34.3 |
Affected products
2- osv-coords2 versions
< 1.31.10+ 1 more
- (no CPE)range: < 1.31.10
- (no CPE)range: >= 1.31.0, < 1.31.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-c4rj-wrmq-52rjghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-25813ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-25813.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6ghsaWEB
- lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.htmlghsax_refsource_CONFIRMWEB
- lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.htmlghsax_refsource_MISCWEB
- meta.wikimedia.org/wiki/Special:UserRightsghsax_refsource_MISCWEB
- phabricator.wikimedia.org/T232568ghsaWEB
News mentions
0No linked articles in our index yet.