CVE-2025-51991
📋 TL;DR
This vulnerability allows authenticated administrators in XWiki to inject malicious Apache Velocity templates through the Global Preferences Presentation interface. Successful exploitation enables server-side template injection, potentially leading to information disclosure or remote code execution. Only administrators with access to the affected interface are impacted.
💻 Affected Systems
- XWiki
📦 What is this software?
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Information disclosure of server configuration, internal data, or limited code execution depending on Velocity sandbox configuration.
If Mitigated
Limited impact due to proper access controls, monitoring, and restricted administrator privileges.
🎯 Exploit Status
Exploitation requires administrator credentials but is straightforward once authenticated. Public writeups demonstrate proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.3.1 or later
Vendor Advisory: https://xwiki.org
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Download and install XWiki 17.3.1 or later from xwiki.org. 3. Follow upgrade documentation. 4. Restart the XWiki service.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator accounts to only trusted personnel and implement multi-factor authentication.
Input Validation Filter
allImplement web application firewall rules to block Velocity template syntax in HTTP Meta Info fields.
🧯 If You Can't Patch
- Remove administrator access from all non-essential users and implement strict access controls.
- Monitor administrator activity logs for suspicious template injection attempts in Global Preferences.
🔍 How to Verify
Check if Vulnerable:
Check XWiki version via Administration → About XWiki. If version is 17.3.0 or earlier, system is vulnerable.Check Version:
Check XWiki web interface at /xwiki/bin/view/Admin/About or examine xwiki.properties file.Verify Fix Applied:
After patching, verify version is 17.3.1 or later and test that Velocity template injection in HTTP Meta Info field is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity in Global Preferences
- Velocity template syntax in HTTP Meta Info field submissions
- Unexpected server-side template rendering errors
Network Indicators:
- POST requests to /xwiki/bin/save/Admin/GlobalPreferences with Velocity template payloads
SIEM Query:
source="xwiki.log" AND ("GlobalPreferences" OR "HTTP Meta Info") AND ("Velocity" OR "#set" OR "#foreach")