Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
CISA Known Exploited Vulnerability
Date added 2025-10-30 | Due date 2025-11-20
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Problem types
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Product status
>= 16.0.0-rc-1, < 16.4.1
References
www.cisa.gov/...erabilities-catalog?field_cve=CVE-2025-24893
github.com/...atform/security/advisories/GHSA-rr6p-3pfg-562j
github.com/...ommit/67021db9b8ed26c2236a653269302a86bf01ef40
github.com/...i/src/main/resources/Main/SolrSearchMacros.xml
github.com/...mplates/src/main/resources/templates/macros.vm
jira.xwiki.org/browse/XWIKI-22149
