CVE-2025-62655

Vulnerability

A SQL injection vulnerability exists in the MediaWiki Cargo extension, specifically in the Special:CargoExport page. The issue stems from improper neutralization of special elements used in an SQL command, allowing an attacker to inject arbitrary SQL queries. The vulnerability affects Cargo extension versions 1.39, 1.43, and 1.44 [1].

Exploitation

To exploit this vulnerability, an attacker must have access to the Special:CargoExport page. By crafting malicious input parameters, the attacker can inject SQL commands that are executed against the MediaWiki database. The attack requires no special privileges beyond the ability to access the page [1].

Impact

Successful exploitation allows an attacker to extract sensitive information from the database, including user credentials, private data, and configuration details. The impact is limited by the database permissions of the MediaWiki application, but could lead to a full compromise of the wiki's data [1].

Mitigation

The vulnerability has been patched in the master branch of the Cargo extension. Backports to the affected release branches (1.39, 1.43, 1.44) are being considered, but may be abandoned or require forced merging due to unrelated test failures. Users are advised to update to the latest master version or apply the patch manually [1].