CVE-2023-45367 in CheckUser Extension
Summary
by MITRE • 10/25/2023
An issue was discovered in the CheckUser extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. A user can use a rest.php/checkuser/v0/useragent-clienthints/revision/ URL to store an arbitrary number of rows in cu_useragent_clienthints, leading to a denial of service.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability CVE-2023-45367 affects the CheckUser extension for MediaWiki, a widely used wiki software platform that powers numerous websites including Wikipedia. This issue exists in multiple versions of MediaWiki, specifically before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1, creating a significant security concern for organizations relying on these platforms. The vulnerability stems from improper input validation and resource management within the extension's handling of user agent client hints data, which are typically used to gather browser and device information from users visiting wiki pages.
The technical flaw manifests through a specific API endpoint at rest.php/checkuser/v0/useragent-clienthints/revision/ that allows authenticated users to submit arbitrary amounts of data to be stored in the cu_useragent_clienthints database table. This functionality was designed to collect and store user agent information for user tracking and analysis purposes, but lacks proper rate limiting, input sanitization, and resource consumption controls. An attacker can exploit this by repeatedly submitting large volumes of data through this endpoint, causing the database to accumulate an excessive number of rows without proper bounds or cleanup mechanisms.
The operational impact of this vulnerability is primarily a denial of service condition that can severely impact system performance and availability. When an attacker exploits this vulnerability, they can cause the database to consume excessive storage space and processing resources, potentially leading to database performance degradation, application slowdowns, or complete service unavailability. The accumulation of arbitrary rows in the cu_useragent_clienthints table can also affect database query performance and may cause cascading failures throughout the MediaWiki system. This vulnerability aligns with CWE-400, which addresses resource exhaustion issues, and represents a classic example of how insufficient input validation can lead to denial of service conditions.
The attack vector for this vulnerability requires an authenticated user account, which means that the threat is not limited to external attackers but can also come from compromised user accounts or insiders with legitimate access. This makes the vulnerability particularly concerning for organizations that rely heavily on MediaWiki platforms where user access is more permissive. The exploitation can be automated and sustained, making it difficult to detect and mitigate. Organizations should consider implementing access controls and monitoring mechanisms to detect unusual patterns of data submission through this API endpoint.
Mitigation strategies for CVE-2023-45367 include upgrading to the patched versions of MediaWiki where the vulnerability has been addressed through proper input validation and rate limiting controls. System administrators should also implement database query monitoring to detect and alert on unusual data insertion patterns, particularly those that result in rapid growth of specific tables. Additional protective measures include implementing rate limiting at the API level, enforcing stricter input validation for user agent data, and conducting regular database maintenance to prevent resource exhaustion. Organizations should also consider implementing database quotas and monitoring for table growth to proactively identify potential abuse of this functionality. The ATT&CK framework categorizes this vulnerability under privilege escalation and resource exhaustion techniques, highlighting the need for comprehensive security monitoring and access control measures to prevent unauthorized exploitation.