CVE-2025-54385
📋 TL;DR
This CVE describes a critical SQL injection vulnerability in XWiki Platform that allows attackers to execute arbitrary SQL queries on Oracle databases. The vulnerability affects XWiki versions 16.10.5 and below, and versions between 17.0.0-rc1 to 17.2.2. Attackers can exploit this through XWiki's searchDocuments APIs which pass unsanitized queries to Hibernate.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via Oracle database functions like DBMS_XMLGEN or DBMS_XMLQUERY.
Likely Case
Data exfiltration, unauthorized data modification, and potential privilege escalation within the XWiki application and underlying Oracle database.
If Mitigated
Limited impact if proper network segmentation, database user privilege restrictions, and input validation are in place, though SQL injection would still be possible.
🎯 Exploit Status
Exploitation requires authenticated access to XWiki APIs. The vulnerability is in core search functionality that's widely used.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.10.6 and 17.3.0-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5
Restart Required: Yes
Instructions:
1. Upgrade to XWiki 16.10.6 or 17.3.0-rc-1 or later. 2. Restart the XWiki application server. 3. Verify the fix by checking the version and testing search functionality.
🔧 Temporary Workarounds
Restrict Database User Privileges
allLimit the database user account permissions to prevent execution of dangerous Oracle functions like DBMS_XMLGEN and DBMS_XMLQUERY.
REVOKE EXECUTE ON DBMS_XMLGEN FROM xwiki_user;
REVOKE EXECUTE ON DBMS_XMLQUERY FROM xwiki_user;
Input Validation Filter
allImplement application-level filtering to block queries containing Oracle-specific function calls in search parameters.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate XWiki servers from other critical systems
- Enable detailed logging and monitoring of all database queries from XWiki application
🔍 How to Verify
Check if Vulnerable:
Check XWiki version and verify if using Oracle database backend. Versions 16.10.5 or below, or between 17.0.0-rc1 to 17.2.2 are vulnerable.Check Version:
Check XWiki administration panel or view xwiki.cfg/xwiki.properties configuration files for version information.Verify Fix Applied:
Verify version is 16.10.6 or higher, or 17.3.0-rc-1 or higher. Test search functionality to ensure it works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs containing DBMS_XMLGEN or DBMS_XMLQUERY functions
- Multiple failed search attempts with unusual parameters
- Unexpected database privilege escalation attempts
Network Indicators:
- Unusual database traffic patterns from XWiki application servers
- Large data transfers from database to XWiki servers
SIEM Query:
source="database_logs" AND ("DBMS_XMLGEN" OR "DBMS_XMLQUERY") AND source_ip="xwiki_server_ip"🔗 References
- https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html
- https://github.com/xwiki/xwiki-platform/commit/7313dc9b533c70f14b7672379c8b3b63d1fd8f51
- https://github.com/xwiki/xwiki-platform/commit/7c4087d44ac550610b2fa413dd4f5375409265a5
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5
- https://jira.xwiki.org/browse/XWIKI-22728
- https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.6
