CVE-2025-6927

Root

Cause

CVE-2025-6927 is a vulnerability in MediaWiki's block list display logic. When a global account is suppressed (hidden from public view), any subsequent autoblock generated by that account's actions was still listed in the Special:BlockList page and returned by the ApiQueryBlocks API (ApiQueryBlocks). The affected code resides in includes/specials/pagers/BlockListPager.php and includes/api/ApiQueryBlocks.php`. This caused the suppressed account's username to appear in the block list, thereby revealing that the account had been suppressed [1].

Exploitation

An unauthenticated attacker can visit Special:BlockList or query the ApiQueryBlocks API endpoint to view the list of active blocks. If a globally suppressed account had triggered an autoblock, that autoblock entry would be visible, including the suppressed account's username of the suppressed account. No special privileges or authentication are required to access these public pages [1].

Impact

By observing the autoblock entries, an attacker can infer that a particular account has been globally suppressed. This defeats the purpose of suppression, which is meant to hide the account from public view the fact that an account has been blocked or restricted. The vulnerability has a CVSS score of 5.3 (Medium) because it leaks non-sensitive metadata but does not allow direct account compromise or data modification [1].

Mitigation

The issue affects MediaWiki versions 1.42.0 through 1.39.13, 1.42.7, 1.43.2, and 1.44.0. The fix was committed in the MediaWiki codebase and is included in subsequent releases. Administrators should upgrade to a patched version (1.39.14, 1.42.8, 1.43.3, or later) to prevent autoblocks from revealing suppressed accounts [1].