Main Vulnerability Database Vulnerabilities #VU113746

Session fixation in MediaWiki - CVE-2025-6592

Published: August 7, 2025

Vulnerability identifier: #VU113746

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-6592

CWE-ID: CWE-384

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MediaWiki.org

Affected software:
MediaWiki

Detailed vulnerability description

The vulnerability allows a remote attacker to perform session fixation attacks.

The vulnerability exists due to software associates temporary user accounts with newly registered user account, leading to data being merged, such as username and IP address. This can lead to potential account takeover if at attacker had control over the temp user session.

How to mitigate CVE-2025-6592

Install updates from vendor's website.

Sources

https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/TT45WDZ7MDTXXBEFLBMLAJI532O2PN2U/
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1143146

Session fixation in MediaWiki - CVE-2025-6592

Detailed vulnerability description

How to mitigate CVE-2025-6592

Sources

Please verify you're human