CVE-2025-32079

Root

Cause

The vulnerability lies in the GrowthExperiments extension for MediaWiki, specifically in the validation of the community configuration page MediaWiki:GrowthMentors.json. The file is processed on each request, and its content must be validated to prevent fatal errors. The validation logic in the StructuredMentorListValidator class is broken due to an unintended side effect of a prior code change (T383330) [1]. This allows the weight field for a mentor to be set to a non-integer value (e.g., a string like "tramvaj") [1].

Attack

Vector

An attacker who has write access to MediaWiki:GrowthMentors.json can craft a malicious JSON payload where a mentor's weight property is not an integer. The content is then stored and processed on subsequent requests. When a user who is assigned that mentor (by user ID) triggers any request that loads mentor data, the extension attempts to pass the weight to the Mentor constructor as an integer, resulting in a type error [1].

Impact

The type error causes a fatal exception that crashes the request, leading to a denial of service condition affecting users who have the mentor assigned. The error is not isolated; it can take down the site for at least those users, making certain pages or API endpoints unavailable [1].

Mitigation

The issue affects GrowthExperiments from version 1.39 through 1.43. The Wikimedia Foundation has resolved the issue as a security task (T384244); users should update to a patched version or apply the fix from the referenced Phabricator task [1].