Platform
php
Component
discordnotifications
Fixed in
1.0.1
CVE-2025-53371 is a critical Remote Code Execution (RCE) vulnerability discovered in the DiscordNotifications extension for MediaWiki. This flaw allows attackers to execute arbitrary code on vulnerable systems by manipulating URLs used for sending notifications to Discord. The vulnerability affects versions of DiscordNotifications prior to commit 1f20d850cbcce5b15951c7c6127b87b927a5415e. A fix has been released in commit 1f20d850cbcce5b15951c7c6127b87b927a5415e.
The DiscordNotifications extension, designed to send MediaWiki actions to Discord, introduces a significant security risk due to its handling of external URLs. The vulnerability stems from the extension's use of curl and filegetcontents to send requests to arbitrary URLs specified in $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls. An attacker can leverage this to trigger Denial of Service (DoS) attacks by causing the server to read large files. Furthermore, Server-Side Request Forgery (SSRF) becomes possible if internal, unprotected APIs are accessible via HTTP POST requests, potentially escalating to Remote Code Execution. This represents a severe compromise, allowing attackers to gain complete control over the MediaWiki server.
CVE-2025-53371 was publicly disclosed on 2025-07-10. Currently, there are no known public proof-of-concept exploits. The vulnerability's criticality (CVSS 9.1) and potential for RCE suggest a high probability of exploitation if left unpatched. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-53371 is to immediately upgrade the DiscordNotifications extension to version 1f20d850cbcce5b15951c7c6127b87b927a5415e. If upgrading is not immediately feasible, consider temporarily disabling the DiscordNotifications extension. As a secondary measure, implement strict input validation and sanitization for the $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls configuration variables to prevent malicious URL injection. Review and restrict network access to internal APIs to prevent SSRF exploitation. After upgrading, confirm the fix by attempting to trigger a notification with a URL pointing to a non-existent resource; the server should not attempt to access the resource.
Update the DiscordNotifications extension to the version that includes the fix from commit 1f20d850cbcce5b15951c7c6127b87b927a5415e. This will prevent the possibility of DoS, SSRF, and possible RCE attacks. Check the release notes for additional details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53371 is a critical Remote Code Execution vulnerability in the DiscordNotifications extension for MediaWiki, allowing attackers to execute arbitrary code via manipulated URLs.
You are affected if you are using DiscordNotifications for MediaWiki versions prior to 1f20d850cbcce5b15951c7c6127b87b927a5415e.
Upgrade the DiscordNotifications extension to version 1f20d850cbcce5b15951c7c6127b87b927a5415e. Temporarily disable the extension if upgrading is not immediately possible.
There are currently no known public exploits, but the high CVSS score suggests a potential for exploitation.
Refer to the MediaWiki security advisories page for the latest information and updates regarding CVE-2025-53371.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.