CVE-2022-28204: 
NixOS vulnerability analysis and mitigation

A denial-of-service (DoS) issue was discovered in MediaWiki 1.37.x before 1.37.2. The vulnerability affects the Special:WhatLinksHere functionality when querying heavily used properties in Wikidata, which could be exploited as a DDoS vector (Debian Tracker).

The vulnerability exists in the Special:WhatLinksHere functionality where querying certain heavily used properties (like P31) could trigger database queries scanning over 200 million rows, causing significant server load. The issue occurs specifically when using namespace filters with heavily linked properties or items. The query execution time could exceed 30 seconds, making it an effective DDoS vector (Phabricator).

When exploited, this vulnerability could lead to excessive server resource consumption and potential denial of service. The issue is particularly concerning as it could fill MySQL's in-memory cache (InnoDB buffer pool) and impact overall system performance, similar to a DNS water torture attack (Phabricator).

The issue was addressed by modifying the query sorting mechanism to sort by namespace first, then by page ID, which allows MySQL to use indexes more efficiently without requiring a filesort operation. This change was implemented in MediaWiki versions 1.35.6, 1.36.4, and 1.37.2 (Debian Tracker).