CVE-2025-61653 is a directory traversal vulnerability identified in the Wikimedia Foundation's TextExtracts extension, which is used to extract plain text from wiki pages via API queries. The vulnerability resides in the includes/ApiQueryExtracts.php file, where insufficient validation of user-supplied input allows an attacker to manipulate file paths. This weakness corresponds to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The affected versions include all versions prior to 1.39.14, 1.43.4, and 1.44.1. The vulnerability can be exploited remotely without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The CVSS 4.0 base score is 2.7, reflecting a low severity primarily due to limited confidentiality impact and no impact on integrity or availability. The attacker could potentially read files outside the intended directory scope, leading to limited information disclosure. No exploits have been reported in the wild, and no official patches have been linked yet, though the affected versions suggest that fixes may be included in the specified later versions. The vulnerability's scope is limited to Wikimedia Foundation's TextExtracts extension, which is typically deployed in MediaWiki installations that utilize this extension for API-based text extraction.

The primary impact of CVE-2025-61653 is limited information disclosure through unauthorized file access. While the vulnerability does not allow modification or deletion of data, nor does it affect system availability, the exposure of sensitive files could aid attackers in reconnaissance or further exploitation. Organizations running MediaWiki with the TextExtracts extension in affected versions may inadvertently expose internal configuration files or other sensitive data if the API is accessible externally. Given the low CVSS score and lack of known exploits, the immediate risk is low; however, public-facing wiki installations with sensitive content or internal deployment could be targeted for information gathering. The vulnerability could be leveraged as part of a multi-stage attack chain but is unlikely to cause direct severe damage on its own.

Organizations should first identify if they are running affected versions of the Wikimedia Foundation TextExtracts extension. Since no official patches are linked yet, administrators should monitor Wikimedia Foundation security advisories for updates and apply patches promptly once released. In the interim, restricting external access to the API endpoints that utilize TextExtracts can reduce exposure. Implementing web application firewalls (WAFs) with rules to detect and block directory traversal attempts targeting ApiQueryExtracts.php is advisable. Additionally, auditing MediaWiki configurations to limit API access to trusted users or networks can mitigate risk. Regularly reviewing server logs for suspicious file path requests and employing intrusion detection systems to alert on anomalous API usage will help detect exploitation attempts early. Finally, consider upgrading to the fixed versions (1.39.14, 1.43.4, 1.44.1 or later) as soon as they become available.