CVE-2019-25338 in DokuWiki
Summary
by MITRE • 02/13/2026
DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server's error response messages.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2019-25338 represents a critical username enumeration flaw within DokuWiki version 2018-04-22b's password reset mechanism. This weakness stems from the application's insufficient response handling during authentication processes, specifically when users attempt to reset forgotten passwords. The flaw manifests when the system provides different error messages for valid versus invalid usernames, creating a predictable pattern that attackers can exploit to systematically identify registered user accounts.
This vulnerability directly maps to CWE-204, which categorizes insecure error message handling as a significant security weakness. The technical implementation flaw occurs at the application logic level where the password reset endpoint fails to normalize error responses regardless of whether a username exists in the system. Attackers can leverage this inconsistency by sending multiple username attempts to the reset endpoint and analyzing the varying response times or message content to determine which accounts are legitimate within the DokuWiki installation.
The operational impact of this vulnerability extends beyond simple account enumeration, as it provides attackers with a foundational foothold for subsequent attack vectors. Once valid usernames are identified, threat actors can proceed with targeted password spraying, brute force attacks, or social engineering campaigns with significantly increased success rates. The vulnerability affects the authentication security posture of the entire system, potentially compromising user credentials and leading to unauthorized access to sensitive wiki content and administrative functions.
Security practitioners should implement several mitigation strategies to address this vulnerability. The most effective approach involves normalizing all error responses from the password reset endpoint to provide identical feedback regardless of whether the username exists in the system. This technique aligns with the principle of least information disclosure and prevents attackers from distinguishing between valid and invalid account attempts. Additionally, implementing rate limiting and account lockout mechanisms can further reduce the effectiveness of automated enumeration attacks while maintaining legitimate user access. Organizations should also consider implementing multi-factor authentication to add additional security layers that mitigate the risk of compromised credentials. The vulnerability demonstrates the importance of proper input validation and error handling practices as outlined in the OWASP Top Ten security principles and aligns with ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting through social engineering.