Wikimedia Foundation MediaWiki DiscussionTools Extension Regular Expression Exponential Blowup Vulnerability

A vulnerability allowing regular expression exponential blowup has been identified in the DiscussionTools extension of MediaWiki. This issue arises from improper neutralization of special elements used in expression language statements, leading to potential performance degradation. The vulnerability affects MediaWiki DiscussionTools Extension versions 1.44 and 1.43.

Impact

Exploitation of this vulnerability causes regular expression exponential blowup, which can lead to significant performance issues by causing certain operations to take an excessive amount of time and resources.

Reproduction

The vulnerability can be reproduced by using a version of MediaWiki that includes the DiscussionTools extension, specifically versions 1.44 or 1.43. The issue arises when regular expressions are applied to HTML content in a way that creates exponential processing time, particularly on pages with long content or many discussion signatures.

Remediation

Users can update to the latest version of the MediaWiki DiscussionTools extension, where this vulnerability has been addressed.