Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
EPSS Score:
78%
Comprehensive Technical Analysis of EUVD-2025-4562
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Description:
The vulnerability in the XWiki Platform allows any guest user to perform arbitrary remote code execution (RCE) through a specially crafted request to the SolrSearch endpoint. This vulnerability significantly impacts the confidentiality, integrity, and availability of the XWiki installation.
Severity Evaluation:
- Base Score: 9.8
- Base Score Version: CVSS 3.1
- Base Score Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The high base score of 9.8 indicates a critical vulnerability. The CVSS vector breakdown shows that the vulnerability can be exploited over the network (AV:N), requires low complexity (AC:L), does not require any privileges (PR:N) or user interaction (UI:N), and has a high impact on confidentiality, integrity, and availability (C:H/I:H/A:H).
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Unauthenticated RCE: An attacker can send a crafted HTTP request to the
SolrSearchendpoint without needing to authenticate. - Injection Points: The vulnerability leverages the
SolrSearchfunctionality, which processes user input in a way that allows for code injection.
Exploitation Methods:
- Crafted URL: An attacker can exploit the vulnerability by sending a request to
<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. - Payload Execution: The payload executes arbitrary Groovy code, which can be used to perform various malicious actions such as data exfiltration, system compromise, or further exploitation.
3. Affected Systems and Software Versions
Affected Versions:
- XWiki Platform versions prior to 15.10.11
- XWiki Platform versions 16.0.0-rc-1 to 16.4.1
Unaffected Versions:
- XWiki Platform 15.10.11 and later
- XWiki Platform 16.4.1 and later
- XWiki Platform 16.5.0RC1 and later
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade: Users are strongly advised to upgrade to the patched versions (15.10.11, 16.4.1, or 16.5.0RC1).
- Temporary Fix: For users unable to upgrade immediately, edit
Main.SolrSearchMacrosinSolrSearchMacros.xmlon line 955 to match therawResponsemacro inmacros.vm#L2824with a content type ofapplication/xml.
Long-Term Mitigation:
- Regular Patching: Implement a regular patching and update schedule for all software components.
- Input Validation: Ensure robust input validation and sanitization mechanisms are in place to prevent similar injection vulnerabilities.
- Access Controls: Implement strict access controls and authentication mechanisms to limit unauthorized access.
5. Impact on European Cybersecurity Landscape
Regional Impact:
- Widespread Use: XWiki Platform is widely used in various sectors across Europe, including education, government, and private enterprises.
- Critical Infrastructure: The vulnerability poses a significant risk to critical infrastructure and sensitive data, potentially leading to data breaches, service disruptions, and financial losses.
- Compliance: Organizations must ensure compliance with European cybersecurity regulations and standards, such as GDPR and NIS Directive, to mitigate legal and financial repercussions.
6. Technical Details for Security Professionals
Exploit Reproduction: To reproduce the vulnerability, perform the following steps:
- Access the XWiki instance without logging in.
- Send a GET request to
<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. - Check the output and the title of the RSS feed for the string
Hello from search text:42.
Patch Details:
- Patch Commit: The vulnerability was patched in commit
67021db9b8ed26c2236a653269302a86bf01ef40. - Code Changes: The patch involves modifying the
SolrSearchMacros.xmlfile to ensure that therawResponsemacro handles the content type correctly, preventing arbitrary code execution.
References:
Conclusion: The EUVD-2025-4562 vulnerability in the XWiki Platform is critical and requires immediate attention. Organizations should prioritize upgrading to the patched versions or applying the temporary fix to mitigate the risk of exploitation. Regular security audits and adherence to best practices will help maintain a robust cybersecurity posture.