Description

If a target user is suppress blocked on another wiki (not the local one) the activeLocalBlocksAllWikis count will include the suppress blocks, even if your user does not have rights to see the suppress block.

Apparently this is a bug in CentralAuthUser::getBlocks(). For example, it also affects Special:CentralAuth.

Reproduction steps

Login to https://test.wikipedia.org
Enable UIC by submitting https://test.wikipedia.org/wiki/Special:ApiSandbox#action=options&format=json&optionname=checkuser-userinfocard-enable&optionvalue=1
Go to https://test.wikipedia.org/wiki/Special:ListUsers?username=Drwpb2&limit=1
Open your browsers Network tab
Open the UIC icon next to Drwpb2
In the Network tab, there will be a request to test.wikipedia.org/w/rest.php/checkuser/v0/userinfo
Click this and choose the "Response" tab (on Firefox, might be called something different on Chrome)

Expected: In the response there should be a line activeLocalBlocksAllWikis: 0
Observed: Instead it is activeLocalBlocksAllWikis: 1

Environment: https://test.wikipedia.org CheckUser 2.5 (444619c) 16:19, 28 July 2025.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()	mediawiki/extensions/CentralAuth	REL1_43	+6 -1
SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()	mediawiki/extensions/CentralAuth	REL1_44	+6 -1
SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()	mediawiki/extensions/CentralAuth	REL1_39	+455 -0
SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()	mediawiki/extensions/CentralAuth	master	+6 -1

Customize query in gerrit

Related Objects

Mentioned In: T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1)
Mentioned Here: rECHU444619c8fe32: UserInfoCard: Fix closing card on clicking toggle

Event Timeline

dom_walden created this task.Jul 31 2025, 12:32 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 31 2025, 12:33 PM

dom_walden added projects: Trust and Safety Product Team, CheckUser-UserInfoCard.Jul 31 2025, 12:33 PM

dom_walden added subscribers: Djackson-ctr, OKryva-WMF, Madalina and 8 others.Jul 31 2025, 12:57 PM

As a short term fix, I think we should not include any suppressed blocks in CentralAuthUser::getBlocks(). As a longer term fix, after the security issue is patched, we would probably need to make API queries to each wiki that's being queried to check for whether the performing user has permissions to view suppressed blocks.

Setting 0.5 for the proposed short term fix of excluding suppressed blocks.

• Jly added a project: SecTeam-Processed.Aug 4 2025, 11:15 AM

• Jly moved this task from Incoming to Watching on the Security-Team board.

• Jly added a project: Vuln-Infoleak.

Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Aug 6 2025, 9:02 AM

Dreamy_Jazz added a project: Trust and Safety Product Sprint.

Dreamy_Jazz moved this task from Backlog to Maintenance to triage on the Trust and Safety Product Sprint board.Aug 6 2025, 6:40 PM

sbassett removed a project: Security-Team.Aug 11 2025, 4:34 PM

Niharika moved this task from Inbox to Triaged on the CheckUser-UserInfoCard board.Aug 12 2025, 2:13 PM

Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)); removed Trust and Safety Product Sprint.Aug 12 2025, 4:14 PM

OKryva-WMF moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 12 2025, 4:53 PM

OKryva-WMF triaged this task as High priority.Aug 12 2025, 5:02 PM

OKryva-WMF lowered the priority of this task from High to Medium.

OKryva-WMF added a project: OKR-Work.Aug 14 2025, 9:54 AM

• mszabo changed the task status from Open to In Progress.Aug 15 2025, 12:55 PM

• mszabo moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.

Proposed patch:

T400892.patch1 KBDownload

kostajh added a project: MediaWiki-extensions-CentralAuth.Aug 18 2025, 5:22 AM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptAug 18 2025, 5:22 AM

In T400892#11089557, @mszabo wrote:

Proposed patch:
T400892.patch1 KBDownload

kostajh assigned this task to • mszabo.Aug 18 2025, 11:49 AM

We should be able to get this deployed during today's (2025-08-18) security deployment window.

sbassett added a project: Security-Team.Aug 18 2025, 2:03 PM

sbassett moved this task from Watching to Security Patch To Deploy on the Security-Team board.

Niharika moved this task from Triaged to In Progress on the CheckUser-UserInfoCard board.Aug 18 2025, 2:21 PM

matmarex added a subscriber: JTweed-WMF.Aug 18 2025, 2:31 PM

JTweed-WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.Aug 18 2025, 2:37 PM

• mszabo moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 18 2025, 3:27 PM

The above patch (T400892#11092818) was deployed by @mszabo.

sbassett added a parent task: T397767: Tracking bug for MediaWiki 1.39.14/1.43.4/1.44.1.Aug 18 2025, 3:59 PM

OKryva-WMF edited projects, added Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)); removed Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)).Aug 19 2025, 10:24 AM

OKryva-WMF moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.Aug 19 2025, 10:29 AM

sbassett removed a parent task: T397767: Tracking bug for MediaWiki 1.39.14/1.43.4/1.44.1.Aug 19 2025, 9:13 PM

sbassett mentioned this in T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1).

OKryva-WMF edited projects, added Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)); removed Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)).Sep 4 2025, 3:12 PM

OKryva-WMF moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)) board.

Reedy closed this task as Resolved.Sep 17 2025, 1:49 PM

Reedy added a subscriber: gerritbot.

Change #1189183 had a related patch set uploaded (by Reedy; author: Máté Szabó):

[mediawiki/extensions/CentralAuth@master] SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()

https://gerrit.wikimedia.org/r/1189183

gerritbot added a project: Patch-For-Review.Sep 17 2025, 1:51 PM

Change #1189183 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()

https://gerrit.wikimedia.org/r/1189183

Change #1189212 had a related patch set uploaded (by Reedy; author: Máté Szabó):

[mediawiki/extensions/CentralAuth@REL1_44] SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()

https://gerrit.wikimedia.org/r/1189212

Change #1189213 had a related patch set uploaded (by Reedy; author: Máté Szabó):

[mediawiki/extensions/CentralAuth@REL1_43] SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()

https://gerrit.wikimedia.org/r/1189213

Change #1189214 had a related patch set uploaded (by Reedy; author: Máté Szabó):

[mediawiki/extensions/CentralAuth@REL1_39] SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()

https://gerrit.wikimedia.org/r/1189214

Change #1189214 abandoned by Reedy:

[mediawiki/extensions/CentralAuth@REL1_39] SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()

https://gerrit.wikimedia.org/r/1189214

Change #1189212 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_44] SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()

https://gerrit.wikimedia.org/r/1189212

Change #1189213 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_43] SECURITY: Exclude suppress blocks in CentralAuthUser::getBlocks()

https://gerrit.wikimedia.org/r/1189213

Dreamy_Jazz moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)) board.Sep 19 2025, 3:37 PM

Mstyles renamed this task from UserInfoCard: activeLocalBlocksAllWikis does not do permissions checks to CVE-2025-62669: UserInfoCard: activeLocalBlocksAllWikis does not do permissions checks.Oct 18 2025, 5:05 AM

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".

Mstyles changed the edit policy from "Custom Policy" to "All Users".

Maintenance_bot removed a project: Patch-For-Review.Oct 18 2025, 5:30 AM

	F65756138: T400892.patch
	Aug 15 2025, 12:58 PM

CVE-2025-62669: UserInfoCard: activeLocalBlocksAllWikis does not do permissions checksClosed, ResolvedPublic0.5 Estimated Story PointsSecurityActions

Description

Reproduction steps

Details

Related Objects

Event Timeline

CVE-2025-62669: UserInfoCard: activeLocalBlocksAllWikis does not do permissions checks
Closed, ResolvedPublic0.5 Estimated Story PointsSecurity
Actions