CVE-2022-39194: 
NixOS vulnerability analysis and mitigation

CVE-2022-39194 affects MediaWiki through version 1.38.2, specifically related to the GrowthExperiments extension's community configuration pages. The vulnerability was discovered in August 2022 and publicly disclosed in September 2022. The issue affects MediaWiki installations that have the GrowthExperiments extension enabled (NVD, Wikimedia).

The vulnerability stems from a circular dependency in the error handling logic for invalid Growth configuration pages. When an invalid configuration is detected, the system attempts to log the error by calling Status::wrap(res)->getWikiText(), which triggers message rendering. This process involves database access, page access, multiple cache layers, and parser invocation, leading to a circular dependency that can crash the system (Wikimedia).

When successfully exploited, this vulnerability can cause a complete denial of service, effectively taking down the entire MediaWiki installation. The impact is particularly severe as it affects the core functionality of the wiki system (Wikimedia).

The issue was fixed by modifying the error handling logic to avoid using message rendering in the WikiPageConfig error handler. The fix was implemented in MediaWiki versions after 1.38.2. For affected versions, the patch prevents the circular dependency by changing how error messages are logged (Wikimedia).