CVE-2025-49582
📋 TL;DR
XWiki's required rights analyzers for dangerous macros are incomplete, allowing attackers to hide malicious content by using non-lowercase parameters or unanalyzed parameters. This could lead to remote code execution when a user with programming rights edits a page containing hidden malicious macros. Affects XWiki instances with user-generated content.
💻 Affected Systems
- XWiki
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution through malicious Groovy or Python macros executed when privileged users edit compromised pages.
Likely Case
Privilege escalation and unauthorized script execution through hidden malicious macros.
If Mitigated
Limited to privilege escalation within the wiki if macro execution is restricted.
🎯 Exploit Status
Requires ability to create/edit pages with macros and a user with programming rights to edit those pages. No public exploit code known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: XWiki 16.4.7, 16.10.3, or 17.0.0
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Upgrade to XWiki 16.4.7, 16.10.3, or 17.0.0. 3. Restart the application server. 4. Verify the fix by checking version.
🔧 Temporary Workarounds
Restrict macro usage
allDisable or restrict usage of dangerous macros like Groovy and Python macros through XWiki configuration.
Edit xwiki.properties to set appropriate macro restrictions
Limit user permissions
allReduce programming rights to minimal necessary users and restrict macro editing permissions.
Configure XWiki rights to limit who can edit pages with macros
🧯 If You Can't Patch
- Disable all script macros (Groovy, Python) in XWiki configuration
- Implement strict content review for pages containing macros before privileged users edit them
🔍 How to Verify
Check if Vulnerable:
Check XWiki version. If between 15.9RC1 and 16.4.6, 16.10.2, or pre-17.0.0, you are vulnerable.Check Version:
Check XWiki administration panel or view xwiki.cfg file for version information.Verify Fix Applied:
Verify XWiki version is 16.4.7, 16.10.3, or 17.0.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual macro execution patterns
- Multiple failed macro validation attempts
- Suspicious page edits containing script macros
Network Indicators:
- Unusual outbound connections from XWiki server after macro execution
SIEM Query:
Search for events where users with programming rights edit pages recently modified by lower-privileged users containing macro content.🔗 References
- https://github.com/xwiki/xwiki-platform/commit/0a705e8e253cb871b804e25c53b2bde879c886bd
- https://github.com/xwiki/xwiki-platform/commit/3d451e957fe2b14459e9ac64172b4a0e4c46971c
- https://github.com/xwiki/xwiki-platform/commit/abdcefc0db27035b67329add836fd683e0cf92b8
- https://github.com/xwiki/xwiki-platform/commit/cc74dc802efe0e2d3fa2ba3355dbadc51c5fd8c7
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj
- https://jira.xwiki.org/browse/XWIKI-22758
- https://jira.xwiki.org/browse/XWIKI-22759
- https://jira.xwiki.org/browse/XWIKI-22763
- https://jira.xwiki.org/browse/XWIKI-22799
