CVE-2025-29925
📋 TL;DR
XWiki Platform REST endpoints improperly list protected pages even when users lack view permissions. This information disclosure vulnerability affects XWiki instances with protected pages or entire wikis configured to prevent unregistered user viewing.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate all protected pages in a wiki, potentially revealing sensitive information, internal documentation, or administrative pages that should be hidden.
Likely Case
Unauthorized users discover existence of protected pages they shouldn't know about, potentially enabling targeted attacks or information gathering.
If Mitigated
With proper network segmentation and access controls, impact limited to internal information disclosure rather than external data exposure.
🎯 Exploit Status
Simple HTTP GET request to REST endpoint reveals protected page listings without authentication
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.10.14, 16.4.6, or 16.10.0RC1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744v
Restart Required: Yes
Instructions:
1. Identify current XWiki version. 2. Upgrade to 15.10.14, 16.4.6, or 16.10.0RC1 based on your branch. 3. Restart XWiki service. 4. Verify fix by testing REST endpoint with unauthenticated user.
🔧 Temporary Workarounds
Restrict REST API Access
allConfigure web server or firewall to block access to /rest/wikis/*/pages endpoints for unauthorized users
# Example nginx location block:
location ~ ^/rest/wikis/[^/]+/pages$ {
deny all;
# Or implement authentication requirement
}
Disable REST Endpoint
allTemporarily disable the affected REST endpoint if not required
# Modify XWiki configuration or use web server to block the endpoint
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the XWiki REST API endpoints
- Enable detailed logging for REST API access and monitor for unauthorized enumeration attempts
🔍 How to Verify
Check if Vulnerable:
As unauthenticated user, send GET request to /rest/wikis/[wikiName]/pages endpoint. If protected pages are listed in response, system is vulnerable.Check Version:
Check XWiki version in administration interface or via /xwiki/bin/view/Main/WebHome?viewer=infoVerify Fix Applied:
After patching, repeat the test. Protected pages should no longer appear in the REST endpoint response for unauthorized users.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /rest/wikis/*/pages endpoints from unauthenticated users
- Unusual spike in REST API access from single IP
Network Indicators:
- HTTP GET requests to REST page listing endpoints without authentication headers
- Pattern of sequential page enumeration via REST API
SIEM Query:
source="xwiki.log" AND (uri_path="/rest/wikis/*/pages" AND NOT user_authenticated=true)🔗 References
- https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df
- https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744v
- https://jira.xwiki.org/browse/XWIKI-22630
- https://jira.xwiki.org/browse/XWIKI-22639
- https://jira.xwiki.org/browse/XWIKI-22630
- https://jira.xwiki.org/browse/XWIKI-22639
