How to fix EUVD-2025-21013?

Within 24 hours: Immediately disable the DiscordNotifications extension or restrict access to wiki configuration pages; audit logs for suspicious webhook URL modifications. Within 7 days: Implement network-level controls to restrict outbound connections from the wiki server and review all configured webhook URLs for unauthorized changes. Within 30 days: Monitor the project repository for the patched commit (1f20d850cbcce5b15951c7c6127b87b927a5415e), apply it when released, or migrate to alternative notification mechanisms.

Is Mediawiki affected by EUVD-2025-21013?

A critical vulnerability in the DiscordNotifications MediaWiki extension allows attackers to perform denial-of-service attacks, access internal systems, and potentially execute arbitrary code through improperly validated webhook URLs.

EUVD-2025-21013

| CVE-2025-53371 CRITICAL

2025-07-10 [email protected]

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21013

CVE Published

Jul 10, 2025 - 18:15 nvd

CRITICAL 9.1

Description

DiscordNotifications is an extension for MediaWiki that sends notifications of actions in your Wiki to a Discord channel. DiscordNotifications allows sending requests via curl and file_get_contents to arbitrary URLs set via $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls. This allows for DOS by causing the server to read large files. SSRF is also possible if there are internal unprotected APIs that can be accessed using HTTP POST requests, which could also possibly lead to RCE. This vulnerability is fixed in commit 1f20d850cbcce5b15951c7c6127b87b927a5415e.

Analysis

A denial of service vulnerability in DiscordNotifications (CVSS 9.1) that allows sending requests. Critical severity with potential for significant impact on affected systems.

Technical Context

CWE-400 (Uncontrolled Resource Consumption). CVSS 9.1 indicates critical severity with likely remote exploitation vector. Affects DiscordNotifications.

Affected Products

['DiscordNotifications']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

EUVD-2025-21013 vulnerability details – vuln.today

Back

EUVD-2025-21013

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-21013

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code