CVE-2021-41800 in MediaWiki
Summary
by MITRE • 10/11/2021
MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/29/2026
MediaWiki versions prior to 1.36.2 contain a critical denial of service vulnerability that stems from improper handling of SQL query processing time within the Special:Contributions page functionality. This vulnerability manifests when users access the contributions special page, which triggers lengthy SQL queries that consume excessive system resources. The root cause lies in the mishandling of PoolCounter protection mechanisms that are designed to prevent resource exhaustion by limiting concurrent database operations. When these protective measures fail to properly enforce query time limits, malicious or unintended access patterns can lead to sustained high CPU utilization and memory consumption. The vulnerability specifically affects the database query execution engine where query processing time is not adequately monitored or capped, allowing attackers to exploit this weakness through repeated requests to the Special:Contributions page. This behavior directly violates security principles outlined in CWE-400, which addresses unspecified resource exhaustion vulnerabilities, and aligns with ATT&CK technique T1499.001 for resource exhaustion attacks. The operational impact includes significant degradation of service availability, potential system crashes, and denial of service for legitimate users attempting to access contribution data. Organizations running affected MediaWiki versions face risks of complete service disruption during sustained attack scenarios, as the system becomes unresponsive due to resource starvation. The vulnerability demonstrates a critical flaw in the application's resource management architecture where proper rate limiting and query timeout mechanisms are either absent or inadequately implemented. This allows attackers to consume system resources at an unsustainable rate, effectively creating a denial of service condition that impacts the entire platform availability. The issue primarily affects web applications that rely on database intensive operations and highlights the importance of implementing robust resource monitoring and protection mechanisms. Security practitioners should note that this vulnerability represents a classic example of insufficient resource exhaustion protection where the application fails to properly enforce resource limits on database operations. The fix for this vulnerability involves implementing proper PoolCounter protection mechanisms that correctly enforce query time limits and prevent excessive resource consumption. Organizations should prioritize upgrading to MediaWiki 1.36.2 or later versions where these protections have been properly implemented and tested. Additionally, system administrators should monitor database query performance and implement additional safeguards such as query timeouts, connection limits, and resource usage monitoring to prevent similar issues from occurring in other applications. The vulnerability serves as a reminder of the critical importance of proper resource management in web applications and the potential consequences of inadequate protection mechanisms against resource exhaustion attacks.