CVE-2023-29141

CRITICALNVD 9.89.8—Elevated

9.8

An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.

CVSS v3: 9.8
EG Score: 9.8(medium)
EPSS: 52.8%
KEV: Not listed

Published

March 31, 2023

Last Modified

February 18, 2025

Advisory Details (6)

Auto-updated Jun 2, 2026

⚠️ Active exploitation confirmed. Patch available.

generic

[SECURITY] Fedora 37 Update: mediawiki-1.38.6-1.fc37 - package-announce - Fedora mailing-lists

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/

generic

[SECURITY] Fedora 38 Update: mediawiki-1.39.3-1.fc38 - package-announce - Fedora mailing-lists

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONWHGOBFD6CQAEGOP5O375XAP2N6RUHT/

generic Patch Available

[SECURITY] [DLA 3540-1] mediawiki security update

https://lists.debian.org/debian-lts-announce/2023/08/msg00029.html

generic

RELEASE-NOTES-1.39 - mediawiki/core - Gitiles

https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39

generic

[SECURITY] [DSA 5447-1] mediawiki security update

https://www.debian.org/security/2023/dsa-5447

generic🔴 Active Exploitation

⚓ T285159 CVE-2023-29141: X-Forwarded-For header allows brute-forcing autoblocked IP addresses

https://phabricator.wikimedia.org/T285159

Affected Packages

(1 across 1 ecosystem)

Packagist(1)

Package	Vulnerable range	Fixed in	Dependents
mediawiki/core	1.20.3 ... 1.35.9 (126 versions)	1.35.10	—

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-444Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)

Data Freshness Timeline

(refreshed 12× in last 7d / 20× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-02 20:12 UTCepss_batch
2026-06-02 20:12 UTCepss_batch
2026-06-02 20:12 UTCepss_batch
2026-06-01 13:51 UTCepss_batch
2026-05-31 22:29 UTCepss_batch
2026-05-31 22:29 UTCepss_batch
2026-05-31 22:29 UTCepss_batch
2026-05-31 00:15 UTCepss_batch
2026-05-31 00:15 UTCepss_batch
2026-05-29 13:43 UTCepss_batch
2026-05-28 13:43 UTCepss_batch
2026-05-28 13:43 UTCepss_batch
2026-05-27 13:39 UTCepss_batch
2026-05-27 13:39 UTCepss_batch
2026-05-26 13:43 UTCepss_batch
2026-05-26 13:43 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:17 UTCepss_batch
2026-05-25 03:59 UTCEG score recompute

Frequently asked(5)

What is CVE-2023-29141?

CVE-2023-29141 is a critical vulnerability published on March 31, 2023. An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.

When was CVE-2023-29141 disclosed?

CVE-2023-29141 was first published in the National Vulnerability Database on March 31, 2023, with the most recent update on February 18, 2025. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2023-29141 actively exploited?

CVE-2023-29141 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 52.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2023-29141?

CVE-2023-29141 has a CVSS v3 base score of 9.8 (NVD).

How do I remediate CVE-2023-29141?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2023-29141, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-29141

Explore →

Is Your Infrastructure Affected by CVE-2023-29141?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2023-29141

📅 Published

🔄 Last Modified

📋 Advisory Details (6)

[SECURITY] Fedora 37 Update: mediawiki-1.38.6-1.fc37 - package-announce - Fedora mailing-lists

[SECURITY] Fedora 38 Update: mediawiki-1.39.3-1.fc38 - package-announce - Fedora mailing-lists

[SECURITY] [DLA 3540-1] mediawiki security update

RELEASE-NOTES-1.39 - mediawiki/core - Gitiles

[SECURITY] [DSA 5447-1] mediawiki security update

⚓ T285159 CVE-2023-29141: X-Forwarded-For header allows brute-forcing autoblocked IP addresses

Affected Packages

Weakness Classification(1)

Data Freshness Timeline

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2023-29141?

🔗 Related CVEs(same CWE)

Same CWE

Published

Last Modified

Advisory Details (6)

Frequently asked(5)

Related CVEs(same CWE)