CVE-2025-54865 is a high-severity SQL Injection vulnerability (CWE-89) found in the Tilesheets extension of the FTB-Gamepedia MediaWiki platform, specifically in versions up to and including 5.0.3. The Tilesheets extension provides a parser function that performs a table lookup to retrieve images associated with items. The vulnerability arises due to a missing backtick in the SQL query construction within this extension, which leads to improper neutralization of special elements in SQL commands. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the query. Exploitation does not require any privileges or user interaction, and the attack vector is network-based, making it relatively easy to exploit. Successful exploitation can lead to unauthorized disclosure of data (confidentiality impact), unauthorized modification of data (integrity impact), and disruption of service (availability impact). Although no known exploits are currently reported in the wild, the vulnerability remains unpatched, increasing the risk of future exploitation. The CVSS v3.1 base score is 7.3, reflecting a high severity due to the ease of exploitation and the potential impact on affected systems. The vulnerability affects all deployments of the Tilesheets extension on MediaWiki instances running versions <= 5.0.3, which are used to manage and display game-related content and images.

For European organizations using the FTB-Gamepedia Tilesheets extension, this vulnerability poses significant risks. MediaWiki is widely used for collaborative documentation and knowledge management, including in educational institutions, gaming communities, and some corporate environments. An attacker exploiting this SQL injection could extract sensitive information from the backend database, modify or delete content, or cause denial of service by disrupting database operations. This could lead to data breaches, loss of trust, and operational downtime. Given that the vulnerability requires no authentication and no user interaction, attackers can remotely compromise vulnerable servers at scale. European organizations involved in gaming, digital content management, or community-driven platforms that utilize this extension are particularly at risk. Additionally, if the compromised MediaWiki instances are used as part of internal knowledge bases or documentation repositories, the integrity and availability of critical information could be jeopardized, impacting business continuity and compliance with data protection regulations such as GDPR.

Since no patch is currently available, European organizations should implement immediate compensating controls. First, restrict network access to the MediaWiki instances running the Tilesheets extension by implementing firewall rules or VPN access to limit exposure to trusted users only. Second, employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the Tilesheets parser function. Third, review and sanitize all user inputs that interact with the Tilesheets extension, potentially disabling or removing the extension if feasible until a patch is released. Fourth, monitor logs for unusual database queries or errors indicative of injection attempts. Fifth, consider deploying database-level protections such as query parameterization or least privilege database accounts to limit the impact of injection. Finally, maintain an active vulnerability management process to apply the official patch promptly once it becomes available and conduct regular security assessments of MediaWiki deployments.