CVE-2015-2942 in MediaWiki
Summary
by MITRE
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an (1) SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a different vulnerability than CVE-2015-2937.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/03/2022
The vulnerability identified as CVE-2015-2942 represents a critical denial of service weakness in MediaWiki versions prior to specific patch releases, particularly affecting systems utilizing HHVM runtime environments. This flaw enables remote attackers to consume excessive system resources through carefully crafted malicious files, specifically targeting SVG graphics and PDF metadata processing. The attack vector leverages the principle of entity expansion, where nested references within these file formats can exponentially increase processing demands, ultimately leading to system resource exhaustion and service unavailability. The vulnerability operates under the well-known "billion laughs attack" pattern, which exploits the recursive nature of XML entity processing to amplify resource consumption.
The technical implementation of this vulnerability stems from insufficient input validation and resource limiting mechanisms within MediaWiki's file processing pipelines when operating under HHVM. When parsing SVG files containing deeply nested entity references or PDF files with malicious XMP metadata, the system fails to impose adequate limits on entity expansion depth or total processing time. This allows attackers to craft files with hundreds or thousands of nested entity references that, when processed, cause the system to allocate excessive memory and CPU cycles. The vulnerability specifically affects MediaWiki's handling of XML-based formats where entity references can be recursively expanded without proper bounds checking, creating a scenario where legitimate processing becomes computationally expensive and resource-intensive.
From an operational impact perspective, this vulnerability poses significant risks to MediaWiki installations that handle user-uploaded content or process external media files. The denial of service condition can affect entire wiki platforms, rendering them unavailable to legitimate users while consuming substantial system resources. Attackers can exploit this weakness to disrupt services, potentially causing cascading failures in larger network environments where multiple wiki instances depend on shared resources. The vulnerability's impact extends beyond simple service disruption as it can be used to exhaust system resources in a manner that may affect other applications running on the same infrastructure, particularly in shared hosting environments or cloud deployments where resource isolation is not properly enforced.
The security implications of CVE-2015-2942 align with CWE-400, which addresses unspecified resource exhaustion vulnerabilities, and can be mapped to ATT&CK technique T1499.004 for network denial of service attacks. Organizations should implement immediate mitigations including upgrading to patched MediaWiki versions, implementing strict file size and processing time limits for uploaded content, and configuring proper input validation for XML processing. Additionally, system administrators should consider implementing resource quotas and monitoring for unusual CPU and memory consumption patterns that may indicate exploitation attempts. The vulnerability highlights the importance of proper XML parser configuration and input sanitization in web applications handling user-generated content, particularly when operating in virtualized or containerized environments where resource constraints are critical for system stability and security.