CVE-2025-61646 is a directory traversal vulnerability (CWE-22) found in the Wikimedia Foundation's MediaWiki software, specifically within the includes/RecentChanges/EnhancedChangesList.php file. This vulnerability affects all versions prior to 1.39.14, 1.43.4, and 1.44.1. The flaw allows an attacker to manipulate file path inputs to access files outside the intended directory scope, potentially exposing sensitive files on the server. The CVSS 4.0 base score is 1.2, indicating low severity, with the vector showing network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, meaning low privileges), and user interaction required (UI:P). The impact is limited to confidentiality with no integrity or availability impact. No known exploits have been reported in the wild, and no patches are currently linked, suggesting the vulnerability is newly disclosed or under remediation. The vulnerability arises from insufficient input validation or sanitization of file path parameters in the EnhancedChangesList.php script, which handles recent changes display functionality. This could allow an attacker to craft malicious requests to read arbitrary files accessible by the web server user, potentially leaking configuration files or other sensitive data.

The primary impact of CVE-2025-61646 is limited unauthorized disclosure of information due to directory traversal. If exploited, attackers could access sensitive files on MediaWiki servers, potentially exposing configuration details, credentials, or other internal data. However, the low CVSS score and requirement for user interaction reduce the likelihood and severity of exploitation. The vulnerability does not affect data integrity or availability, limiting its impact to confidentiality. Organizations running vulnerable MediaWiki versions may face increased risk of information leakage, which could aid further attacks if sensitive data is exposed. Since MediaWiki is widely used for collaborative documentation and knowledge bases, exposure of internal files could undermine organizational security and privacy. The absence of known exploits in the wild suggests limited active threat currently, but the vulnerability should be addressed promptly to prevent future exploitation.

Organizations should prioritize upgrading MediaWiki installations to versions 1.39.14, 1.43.4, 1.44.1 or later once patches are released. Until patches are available, administrators should implement strict input validation and sanitization on any user-supplied file path parameters, especially in the EnhancedChangesList.php component. Restricting web server file system permissions to limit access to sensitive files can reduce the impact of potential exploitation. Monitoring web server logs for suspicious requests targeting the RecentChanges functionality can help detect attempted exploitation. Employing web application firewalls (WAFs) with rules to block directory traversal patterns may provide temporary protection. Additionally, educating users about the risk of interacting with untrusted links or content can reduce the likelihood of successful exploitation requiring user interaction. Regular security audits and vulnerability scanning of MediaWiki deployments are recommended to detect and remediate similar issues proactively.