CVE-2025-53371

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

Name of the Vulnerable Software and Affected Versions: DiscordNotifications extension for MediaWiki (affected versions not specified)

Description: The DiscordNotifications extension for MediaWiki allows sending requests to arbitrary URLs set via configuration variables $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls. This can lead to a denial-of-service (DOS) attack by causing the server to read large files. Server-Side Request Forgery (SSRF) is also possible if internal, unprotected APIs are accessible via HTTP POST requests, potentially leading to Remote Code Execution (RCE).

Recommendations: Update to a version containing commit 1f20d850cbcce5b15951c7c6127b87b927a5415e.

Exploit

Fix

Resource Exhaustion

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-918

Related Identifiers

CVE-2025-53371

GHSA-GVFX-P3H5-QF65

Affected Products

Discordnotifications

Mediawiki

CVE-2025-53371

Weakness Enumeration

Related Identifiers

Affected Products

References · 8