CVE-2020-25827
Description
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki OATHAuth extension fails to enforce TOTP rate limits across wikis in a farm, allowing concurrent brute-force attempts.
An issue in the OATHAuth extension for MediaWiki allows attackers to bypass rate limiting on TOTP token validation. In wiki farms or clusters using CentralAuth, the rate limit for OATH tokens is enforced only on a per-site basis, not globally [1][2]. This means the limit is not shared across multiple wikis.
To exploit this, an attacker can simultaneously submit many TOTP validation requests across different wikis. Since each site has its own counter, the attacker can effectively multiply the allowed attempts by the number of wikis. The pingLimiter function, which enforces limits, counts 'user' and 'anon' limits per wiki, while 'ip' and 'subnet' limits are cross-wiki, but the default configuration only uses per-user limits for the badoath action [3].
Successful exploitation enables brute-force attacks on two-factor authentication tokens, potentially compromising accounts protected by TOTP. This undermines the security of OATHAuth, as an attacker can guess tokens faster than intended [2][3].
The vulnerability is fixed in MediaWiki 1.31.10, 1.34.4, and later versions. Administrators should upgrade to these releases or apply a workaround by configuring per-IP or per-subnet limits for the 'badoath' action in InitialSettings.php, as suggested in the Phabricator task [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.31.0, < 1.31.9 | 1.31.9 |
mediawiki/corePackagist | >= 1.32.0, < 1.34.3 | 1.34.3 |
Affected products
2- osv-coords2 versions
< 1.31.10+ 1 more
- (no CPE)range: < 1.31.10
- (no CPE)range: >= 1.31.0, < 1.31.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-rqvj-fc2x-99q6ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-25827ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-25827.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6ghsaWEB
- lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.htmlghsax_refsource_CONFIRMWEB
- lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.htmlghsax_refsource_MISCWEB
- phabricator.wikimedia.org/T251661ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.