CVE-2025-11175 — Expression Language Injection in Mediawiki

CWE-917 — Expression Language Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.0%

top 97.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki THE Wikimedia Foundation Mediawiki Discussiontools Extension

Timeline

PublishedJan 30

Description

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

▶CVEListV5the_wikimedia_foundation/mediawiki_discussiontools_extension1.43, 1.44+1

▶debiandebian/mediawiki< mediawiki 1:1.43.5+dfsg-1 (forky)

▶Debianmediawiki/mediawiki< 1:1.43.6+dfsg-1~deb13u1+1

🔴Vulnerability Details

OSV

CVE-2025-11175: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia↗2026-01-30

▶

GHSA

GHSA-2jhx-qqh2-9q63: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia↗2026-01-30

▶

📋Vendor Advisories

Debian

CVE-2025-11175: mediawiki - Improper Neutralization of Special Elements used in an Expression Language State...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-11175 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶