MediaWiki 1.42.7
2 July 2025
MediaWiki version 1.42.7 is now available (security release).
Upgrading to MediaWiki 1.42.7
MediaWiki 1.42.7 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.42.7 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.42.7
Security
- (T392746, CVE-2025-6590) SECURITY: Escape usernames in HTMLUserTextField validation errors.
- (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in action=feedcontributions.
- (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email.
- (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS when invalid 'format' is provided.
- (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as login for reauthentication.
- (T391343, CVE-2025-6589) SECURITY: BlockList: Hide rows containing suppressed users.
- (T389010, CVE-2025-6926) SECURITY: Allow extensions to supress the reauth flag on login.
- (T397595, CVE-2025-6927) SECURITY: Fix autoblocks visibility when bl_deleted=1.
- (T397595, CVE-2025-6927) SECURITY: Fix leak of hidden usernames via autoblocks of those users.
Bug Fixes and Changes
- Localisation updates.
- (T388708) Diffs: avoid getContentHandler on null error.
- filebackend: Avoid passing null to FileBackend::normalizeContainerPath.
- (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils.
- (T391179) installer: fix MySQL create user permissions check.
- (T391169) INSTALL: Document requirement for bcmath/gmp on 32-bit systems.
- (T391867) http: Handle accept header with incomplete q.
- Update Pingback address.
- (T393879) objectcache: Cast explicitly to integer.
- (T394989) FormatMetadata::formatFraction: Don't risk passing null to preg_match.
- (T221560) Remove hyphens from legal search characters for MySQL-based database searches.
- (T351055) Improve BrokenRedirects display.
- (T395834) Treat File::getShortDesc() as possibly unsafe HTML.
- (T396766) ApiQueryRevisionsBase: Cast ctype_digit() param to string.
- (T397521) Api: Fix permission checks in action=compare.
- (T397883, T397643) htmlform: fix min/max validations on empty input in int/float fields.