CVE-2025-61635

Vulnerability

Description

CVE-2025-61635 describes a cross-site request forgery (CSRF) vulnerability in the ConfirmEdit extension used by the MediaWiki platform. The flaw resides in the includes/FancyCaptcha/ApiFancyCaptchaReload.Php file, which lacks proper CSRF protection. This means a malicious actor can craft a request that forces a logged-in user's browser to reload a FancyCaptcha image without the user's consent [1].

Exploitation

Method

An attacker can exploit this CSRF vulnerability by tricking an authenticated user into visiting a malicious page or clicking a crafted link that triggers a cross-origin request to the vulnerable API endpoint. No special authentication is required for the attacker beyond having a target user who is currently logged into a MediaWiki site using the ConfirmEdit extension. The attack requires no user interaction beyond the initial click or visit [1].

Impact

Successful exploitation allows an attacker to repeatedly reload captcha images for the victim, potentially causing a denial-of-service condition by exhausting the user's session or causing confusion. In scenarios where captcha reloads are rate-limited or tied to account actions, this could disrupt legitimate editing or login attempts by the targeted user. There is no direct data exfiltration or privilege escalation, but the attack undermines the availability of the captcha mechanism [1].

Mitigation

The vulnerability affects all versions of ConfirmEdit. As of publication, patching instructions are available in the Wikimedia Phabricator ticket [1]. Users should update to the latest patched version of the ConfirmEdit extension as soon as possible. No workaround is currently available aside from disabling the FancyCaptcha module or applying the vendor-supplied patch.