CVE-2023-45363
Description
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki API page query with redirects and converttitles can cause an unbounded loop and denial of service.
Vulnerability
Description
An issue in MediaWiki's ApiPageSet.php allows an attacker to cause a denial of service (DoS) by triggering an unbounded loop, resulting in a RequestTimeoutException. The bug affects MediaWiki versions before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1 [1]. The root cause is improper handling of page titles when both the redirects and converttitles API parameters are set, in combination with language variant conversion [2][4].
Exploitation
Conditions
An attacker can exploit this vulnerability by crafting an API query that includes pages which redirect to other language variants (e.g., simplified Chinese to traditional Chinese) while the redirects and converttitles parameters are enabled. The MediaWiki API then enters an infinite loop attempting to resolve the redirection chain, consuming server resources until the request times out [4]. No authentication is required, as the action=query API endpoint is generally accessible to unauthenticated users.
Impact
Successful exploitation results in a denial of service, as the affected MediaWiki instance becomes unresponsive to the malicious request and may degrade overall server performance. The vulnerability does not lead to data loss or privilege escalation, but it can disrupt service availability for legitimate users.
Mitigation
The issue was fixed in MediaWiki 1.35.12, 1.39.5, and 1.40.1. Administrators should immediately upgrade to a patched version. The fix prevents the infinite loop by correctly handling the conversion and redirection logic [2]. No workaround is available for unpatched versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | < 1.35.12 | 1.35.12 |
mediawiki/corePackagist | >= 1.36.0, < 1.39.5 | 1.39.5 |
mediawiki/corePackagist | >= 1.40.0, < 1.40.1 | 1.40.1 |
Affected products
3- MediaWiki/MediaWikidescription
- osv-coords2 versions
< 1.35.12+ 1 more
- (no CPE)range: < 1.35.12
- (no CPE)range: < 1.35.12
Patches
124c3ef2474c6Fix infinite loop for self-redirects with variants conversion
2 files changed · +62 −1
includes/api/ApiPageSet.php+3 −1 modified@@ -1281,7 +1281,9 @@ private function loadRedirectTargets() { unset( $this->mPendingRedirectIDs[$rdfrom] ); if ( $to->isExternal() ) { $this->mInterwikiTitles[$to->getPrefixedText()] = $to->getInterwiki(); - } elseif ( !isset( $this->mAllPages[$to->getNamespace()][$to->getDBkey()] ) ) { + } elseif ( !isset( $this->mAllPages[$to->getNamespace()][$to->getDBkey()] ) + && !( $this->mConvertTitles && isset( $this->mConvertedTitles[$to->getPrefixedText()] ) ) + ) { $titlesToResolve[] = $to; } $this->mRedirectTitles[$from] = $to;
tests/phpunit/includes/api/ApiPageSetTest.php+59 −0 modified@@ -139,6 +139,65 @@ public function testHandleNormalization() { ); } + public static function provideConversionWithRedirects() { + return [ + 'convert, redirect, convert' => [ + [ + [ '維基百科1', '#REDIRECT [[维基百科2]]' ], + [ '維基百科2', '' ], + ], + [ 'titles' => '维基百科1', 'converttitles' => 1, 'redirects' => 1 ], + [ [ 'from' => '维基百科1', 'to' => '維基百科1' ], [ 'from' => '维基百科2', 'to' => '維基百科2' ] ], + [ [ 'from' => '維基百科1', 'to' => '维基百科2' ] ], + ], + + 'redirect, convert, redirect' => [ + [ + [ '維基百科3', '#REDIRECT [[维基百科4]]' ], + [ '維基百科4', '#REDIRECT [[維基百科5]]' ], + ], + [ 'titles' => '維基百科3', 'converttitles' => 1, 'redirects' => 1 ], + [ [ 'from' => '维基百科4', 'to' => '維基百科4' ] ], + [ [ 'from' => '維基百科3', 'to' => '维基百科4' ], [ 'from' => '維基百科4', 'to' => '維基百科5' ] ], + ], + + 'hans redirects to hant with converttitles' => [ + [ + [ '维基百科6', '#REDIRECT [[維基百科6]]' ], + ], + [ 'titles' => '维基百科6', 'converttitles' => 1, 'redirects' => 1 ], + [ [ 'from' => '維基百科6', 'to' => '维基百科6' ] ], + [ [ 'from' => '维基百科6', 'to' => '維基百科6' ] ], + ], + + 'hans redirects to hant without converttitles' => [ + [ + [ '维基百科6', '#REDIRECT [[維基百科6]]' ], + ], + [ 'titles' => '维基百科6', 'redirects' => 1 ], + [], + [ [ 'from' => '维基百科6', 'to' => '維基百科6' ] ], + ], + ]; + } + + /** + * @dataProvider provideConversionWithRedirects + */ + public function testHandleConversionWithRedirects( $pages, $params, $expectConversion, $exceptRedirects ) { + $this->overrideConfigValue( MainConfigNames::LanguageCode, 'zh' ); + + foreach ( $pages as $page ) { + $this->editPage( $page[0], $page[1] ); + } + + $pageSet = $this->newApiPageSet( $params ); + $pageSet->execute(); + + $this->assertSame( $expectConversion, $pageSet->getConvertedTitlesAsResult() ); + $this->assertSame( $exceptRedirects, $pageSet->getRedirectTitlesAsResult() ); + } + public function testSpecialRedirects() { $id1 = $this->editPage( 'UTApiPageSet', 'UTApiPageSet in the default language' ) ->getNewRevision()->getPageId();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-w5fx-cx7f-6vr9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-45363ghsaADVISORY
- www.debian.org/security/2023/dsa-5520ghsavendor-advisoryWEB
- github.com/wikimedia/mediawiki/commit/24c3ef2474c6daa20ed48168d46196a55346dfd8ghsaWEB
- lists.debian.org/debian-lts-announce/2023/11/msg00027.htmlghsamailing-listWEB
- phabricator.wikimedia.org/T333050ghsaWEB
News mentions
0No linked articles in our index yet.