CVE-2025-24893 in xwiki-platform
Summary
by MITRE • 02/20/2025
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/17/2025
The vulnerability identified as CVE-2025-24893 represents a critical remote code execution flaw within the XWiki Platform, a widely used generic wiki platform that serves as a foundation for various applications. This security weakness resides in the SolrSearch component, which is designed to provide search functionality for XWiki installations. The vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems simply by crafting specific requests to the SolrSearch endpoint, thereby compromising the entire XWiki installation's confidentiality, integrity, and availability. The flaw demonstrates a severe lack of input validation and output encoding controls, creating an attack surface that can be exploited by malicious actors without requiring any authentication credentials or privileged access.
The technical exploitation of this vulnerability leverages the Groovy scripting engine within XWiki's macro processing system through a carefully crafted request parameter. Attackers can inject malicious Groovy code through the text parameter of the SolrSearch endpoint, specifically targeting the RSS feed generation functionality. The proof-of-concept demonstrates how a request containing encoded Groovy code within async and groovy macro tags can execute arbitrary commands and return output through the RSS feed. This type of vulnerability falls under CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and specifically relates to insufficient input sanitization in macro processing systems. The vulnerability exists because the platform fails to properly validate or sanitize user input before incorporating it into executable code contexts, allowing attackers to bypass normal access controls and execute system commands directly.
The operational impact of this vulnerability is devastating for any XWiki installation that remains unpatched, as it provides complete remote code execution capabilities to any internet-facing system. An attacker who successfully exploits this vulnerability can gain full control over the affected server, potentially leading to data breaches, system compromise, service disruption, or even lateral movement within network environments. The vulnerability affects the core runtime services of XWiki applications, meaning that any application built on top of the platform could be compromised, including content management systems, collaboration platforms, and enterprise wikis. This type of attack aligns with ATT&CK technique T1059.007, "Command and Scripting Interpreter: PowerShell," and T1566.001, "Phishing: Spearphishing Attachment," as attackers may use this vulnerability to establish persistent access or deliver additional payloads.
Organizations affected by this vulnerability should immediately implement the recommended mitigations provided by XWiki. The primary solution involves upgrading to patched versions 15.10.11, 16.4.1, or 16.5.0RC1, which contain proper input validation and sanitization measures. For organizations unable to perform immediate upgrades, a manual patch can be applied by modifying the SolrSearchMacros.xml file to correct the content type handling in the rawResponse macro. This mitigation requires editing line 955 of the SolrSearchMacros.xml file to ensure that the content type is explicitly set to application/xml instead of simply outputting the raw feed content. The vulnerability demonstrates the critical importance of proper input validation in web applications and highlights the need for comprehensive security testing of macro and template processing systems. Security teams should also implement network monitoring to detect suspicious requests targeting the SolrSearch endpoint and consider implementing web application firewalls to block known exploit patterns. The vulnerability serves as a reminder of the risks associated with dynamic code execution capabilities within wiki platforms and the necessity of maintaining up-to-date security patches for all components in the application stack.