CVE-2021-41800
Description
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki before 1.36.2 allows denial of service via a lengthy SQL query on Special:Contributions due to improper PoolCounter protection.
Vulnerability
In MediaWiki versions before 1.36.2 (as well as 1.31.16 and 1.35.4), the Special:Contributions page lacks proper PoolCounter protection, leading to potential denial of service [1][2]. The PoolCounter mechanism is designed to limit concurrent database queries, but it was mishandled in the execute() method of SpecialContributions, causing a long-running SQL query to be executed without the protection of the pool counter [3]. The issue affects all versions prior to the fix, including the now-EOL 1.31 branch [2].
Exploitation
An attacker simply needs to visit the Special:Contributions page, possibly repeatedly or for a user with many contributions, to trigger a long-running SQL query that consumes database resources [1]. No special privileges or authentication are required, as the page is publicly accessible on most wikis [2]. The attack can be performed by any unauthenticated user.
Impact
Successful exploitation results in a denial of service (DoS) condition due to excessive resource consumption [1]. The lengthy SQL query can tie up database connections, slowing down or blocking other requests, potentially making the wiki unavailable to legitimate users. The impact is limited to availability; no data disclosure or modification is involved.
Mitigation
MediaWiki 1.36.2, 1.35.4, and 1.31.16 were released on September 30, 2021, containing the fix [2]. The commit [3] restructures the doWork callback to move the getNumRows() check inside the pool counter work, ensuring that the query is only executed when pool access is granted. Users should upgrade to these versions or later. The 1.31 branch is now end-of-life, so users on that branch must upgrade to a supported version [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | < 1.36.2 | 1.36.2 |
Affected products
3- MediaWiki/MediaWikidescription
- osv-coords2 versions
< 1.36.2+ 1 more
- (no CPE)range: < 1.36.2
- (no CPE)range: < 1.36.2
Patches
1781caf83dba9SECURITY: fix PoolCounter protection of Special:Contributions
1 file changed · +17 −15
includes/specials/SpecialContributions.php+17 −15 modified@@ -310,8 +310,6 @@ public function execute( $par ) { $limits = $this->getConfig()->get( 'RangeContributionsCIDRLimit' ); $limit = $limits[ IPUtils::isIPv4( $target ) ? 'IPv4' : 'IPv6' ]; $out->addWikiMsg( 'sp-contributions-outofrange', $limit ); - } elseif ( !$pager->getNumRows() ) { - $out->addWikiMsg( 'nocontribs', $target ); } else { // @todo We just want a wiki ID here, not a "DB domain", but // current status of MediaWiki conflates the two. See T235955. @@ -322,20 +320,24 @@ public function execute( $par ) { $poolKey .= 'u:' . $this->getUser()->getId(); } $work = new PoolCounterWorkViaCallback( 'SpecialContributions', $poolKey, [ - 'doWork' => function () use ( $pager, $out ) { - # Show a message about replica DB lag, if applicable - $lag = $pager->getDatabase()->getSessionLagStatus()['lag']; - if ( $lag > 0 ) { - $out->showLagWarning( $lag ); + 'doWork' => function () use ( $pager, $out, $target ) { + if ( !$pager->getNumRows() ) { + $out->addWikiMsg( 'nocontribs', $target ); + } else { + # Show a message about replica DB lag, if applicable + $lag = $pager->getDatabase()->getSessionLagStatus()['lag']; + if ( $lag > 0 ) { + $out->showLagWarning( $lag ); + } + + $output = $pager->getBody(); + if ( !$this->including() ) { + $output = $pager->getNavigationBar() . + $output . + $pager->getNavigationBar(); + } + $out->addHTML( $output ); } - - $output = $pager->getBody(); - if ( !$this->including() ) { - $output = $pager->getNavigationBar() . - $output . - $pager->getNavigationBar(); - } - $out->addHTML( $output ); }, 'error' => function () use ( $out ) { $msg = $this->getUser()->isAnon()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-c8wv-qwwc-6j73ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-41800ghsaADVISORY
- security.gentoo.org/glsa/202305-24ghsavendor-advisoryWEB
- github.com/wikimedia/mediawiki/commit/781caf83dba90c18349f930bbaaa0e89f003f874ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRXghsaWEB
- lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5ghsaWEB
- phabricator.wikimedia.org/T284419ghsaWEB
- lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/mitre
News mentions
0No linked articles in our index yet.