CVE-2025-6593

Vulnerability

Overview

CVE-2025-6593 is a vulnerability in MediaWiki, affecting versions 1.27.0 through 1.39.13, 1.42.7, 1.43.2, and 1.44.0. The issue resides in the file includes/user/User.php. When a user changes their registered email address, MediaWiki sends a notification email to the *old* address, even if that old address was never verified. The notification contains the message "{{SITENAME}} registered email address has been changed", as described in the Phabricator task [1].

Exploitation

Prerequisites

An attacker does not need any special privileges to trigger this behavior. The vulnerability is exposed whenever a legitimate user updates their email address on a wiki. If the old email address is unverified, it may belong to an expired account or be an address the user no longer controls. An attacker who can monitor that unverified mailbox (e.g., through a recycled or typo-squatted domain) could receive the notification. No authentication is required to receive the email; the notification is sent automatically by the server.

Impact

The primary impact is information leakage. An attacker who receives the notification learns that the specific username (from the notification) has changed their email address on the wiki. This could confirm the existence of a user account tied to an unverified email, potentially enabling targeted phishing or enumeration attacks. The notification itself does not contain the new email address, but it provides a vector for social engineering. The severity is rated Low because the attack requires control over the unverified email destination and does not directly compromise the wiki or user data.

Mitigation

The vulnerability has been patched in MediaWiki versions 1.39.13, 1.42.7, 1.43.2, and 1.44.0 [1]. Users running affected versions should upgrade immediately. There are no known workarounds. The fix likely ensures that notification emails are only sent to verified email addresses, preventing the leakage to unverified recipients.