7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31487

GHSA ID

GHSA-wc53-4255-gw3f

EPSS Score

0.11969%

CWE

CWE-611

Published

4/4/2025

Updated

4/4/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-31487

CVE-2025-31487: The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server

Impact

If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns an XML specifying a DOCTYPE pointing to a local file on the XWiki server host and displaying that file's content in one of the returned JIRA fields (such as the summary or description for example).

For example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<rss version="0.92">
...
    <item>
      <title>&xxe;</title>
      <link>https://jira.xwiki.org/browse/XE-307</link>
      <project id="10222" key="XE">{RETIRED} XWiki Enterprise</project>
      <description>&xxe;</description>
      <environment/>
...

Patches

The vulnerability has been patched in the JIRA Extension v8.6.5.

Workarounds

No easy workaround except to upgrade (which is easy using the XWiki Extension Manager).

References

https://github.com/xwiki-contrib/jira/commit/98a74c2a516b42689c73b13ecd94e9c1998fa9cb and https://github.com/xwiki-contrib/jira/commit/5049e352d16f8356734de70daf1202301f170ee6
https://jira.xwiki.org/browse/JIRA-49

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31487

GHSA ID

GHSA-wc53-4255-gw3f

EPSS Score

0.11969%

CWE

CWE-611

Published

4/4/2025

Updated

4/4/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.contrib.jira:jira-macro-default	maven	>= 4.2, < 8.5.6	8.5.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an XXE attack in the JIRA macro's XML processing. The key vulnerable function is createSAXBuilder() in HTTPJIRAFetcher class, which was modified in both commits to add XXE protection. The first commit (98a74c2) added basic protection by setting ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA to empty strings, while the second commit (5049e35) implemented stronger protection by completely disabling DTD processing. The function is clearly involved in processing potentially malicious XML input from a fake JIRA server, making it the primary vulnerable function that would appear in a runtime profiler during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* t** JIR* m**ro is inst*ll**, *ny lo**** in XWiki us*r *oul* **it *is/**r us*r pro*il* wiki p*** *n* us* t**t JIR* m**ro, sp**i*yin* * **k* JIR* URL t**t r*turns *n XML sp**i*yin* * *O*TYP* pointin* to * lo**l *il* on t** XWiki s*rv*r *o

Reasoning

T** vuln*r**ility is *n XX* *tt**k in t** JIR* m**ro's XML pro**ssin*. T** k*y vuln*r**l* *un*tion is *r**t*S*X*uil**r() in *TTPJIR***t***r *l*ss, w*i** w*s mo*i*i** in *ot* *ommits to *** XX* prot**tion. T** *irst *ommit (*******) ***** **si* prot**

7.7

Basic Information

Concerned about an active attack path?

CVE-2025-31487: The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server

Impact

Patches

Workarounds

References

For more information

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI