CVE-2025-49594
CVE-2025-49594
9.2
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Deferred
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- Present
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- None
- Availability (Subsequent)
- None
Description
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.
References
security-advisories@github.com
https://github.com/xwiki-contrib/oidc/commit/d90d717172283aaa96bb5bb44e357f910ae64adbsecurity-advisories@github.com
https://github.com/xwiki-contrib/oidc/security/advisories/GHSA-f2hf-pfrj-vrm7security-advisories@github.com
https://jira.xwiki.org/browse/OIDC-240af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-49594-detect-xwiki-vulnerabilityaf854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-49594-mitigate-xwiki-vulnerability