CVE-2025-32076

Root

Cause

The VisualData extension for MediaWiki contains a regular expression vulnerability in its SubmitForm processing. The regex /<\\s*([^<>]+)\\s*>/ is used to parse user-provided data wrapped in angle brackets. According to the advisory [1], this expression has third-degree polynomial (cubic) complexity, making it susceptible to catastrophic backtracking when fed a maliciously crafted string.

Exploitation

An attacker can send a specially crafted HTTP request to a wiki running a vulnerable version of the extension (1.39 through 1.43) that includes input designed to trigger worst-case regex behavior. No authentication is required if the form is publicly accessible; the attack surface is the SubmitForm endpoint that processes user data against the vulnerable regex.

Impact

Successful exploitation causes the server to spend excessive CPU time on regex evaluation, leading to a denial of service (DoS) condition. This can degrade service availability or, in a sustained attack, make the wiki unresponsive to legitimate users.

Mitigation

Wikimedia has addressed the issue by replacing the vulnerable regex with a safer pattern using possessive quantifiers (/< \\s*+([^<>]++)\\s*+>/). Users should update the VisualData extension to the patched version as soon as possible [1]. No workaround is provided beyond the patch.