CVE-2025-11175
CVE-2025-11175 is a high-severity vulnerability with a CVSS 4.0 base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-917.
Key facts
- Severity: High (CVSS 4.0 base score 8.8)
- EPSS exploit prediction: 0% (34th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-206571
- Weakness: CWE-917
- Published:
- Last modified:
Description
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.
Frequently asked questions
- What is CVE-2025-11175?
- Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.
- How severe is CVE-2025-11175?
- CVE-2025-11175 has a CVSS 4.0 base score of 8.8, rated high severity.
- Is CVE-2025-11175 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (34th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-11175?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-11175 have an EU (EUVD) identifier?
- Yes. CVE-2025-11175 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-206571.
- When was CVE-2025-11175 published?
- CVE-2025-11175 was published on 2026-01-30 and last updated on 2026-06-17.
References
- https://gerrit.wikimedia.org/r/q/I126203ab1d3ec8c1719cbb5460a887e4d0c2cc6d
- https://gerrit.wikimedia.org/r/q/I563219f3298a8740e158d130492bf3d2897784d7
- https://phabricator.wikimedia.org/T364910
- https://phabricator.wikimedia.org/T396248
Other CWE-917 vulnerabilities
- CVE-2025-3322 — Critical (CVSS 10.0): An improper neutralization of inputs used in expression language allows remote code execution with the highest…
- CVE-2022-22947 — Critical (CVSS 10.0): In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack…
- CVE-2026-11561 — Critical (CVSS 9.8): Improper neutralization of special elements used in an expression language statement ('expression language injection')…
- CVE-2026-22738 — Critical (CVSS 9.8): In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a…
- CVE-2026-24713 — Critical (CVSS 9.8): Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7,…
- CVE-2023-51593 — Critical (CVSS 9.8): Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability…