9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-32969

GHSA ID

GHSA-f69v-xrj8-rhxf

EPSS Score

0.90023%

CWE

CWE-89

Published

4/23/2025

Updated

4/30/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32969

CVE-2025-32969: org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API

Impact

It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled.

Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.

The vulnerability may be tested in a default installation of XWIki Standard Flavor, including using the official Docker containers.

An example query, which leads to SQL injection with MySQL/MariaDB backend is shown below:

time curl "http://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20doc.name=length('a')*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(10)%20%23%27&type=hql&distinct=0"

When executed, the response from the server will come after a delay of 10 extra seconds, indicating successful execution of the injected SQL statement.

An example of a query for the PostgreSQL database backend is shown below:

curl "https://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20%24%24='%24%24=concat(%20chr(%2061%20),(chr(%2039%20))%20)%20;select%201%20--%20comment'&type=hql&distinct=0"

Both requests employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections.

Patches

This has been patched in 16.10.1, 16.4.6 and 15.10.16.

Workarounds

There is no known workaround, other than upgrading XWiki.

References

https://jira.xwiki.org/browse/XWIKI-22691

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

Sergey Anufrienko from Kaspersky ICS-CERT vulnerability research team reported this vulnerability.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-32969

GHSA ID

GHSA-f69v-xrj8-rhxf

EPSS Score

0.90023%

CWE

CWE-89

Published

4/23/2025

Updated

4/30/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 1.8, < 15.10.16	15.10.16
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 16.0.0-rc-1, < 16.4.6	16.4.6
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 16.5.0-rc-1, < 16.10.1	16.10.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an SQL injection in the HQL query endpoint of the XWiki REST API. The analysis focused on the provided commit 5c11a874bd24a581f534d283186e209bbccd8113.

The REST API layer, specifically a method like DefaultQueryResource.getResults (inferred from the vulnerability path /rest/wikis/xwiki/query and the patch to AbstractDatabaseSearchSource.java which is in the same REST server module), is the entry point that processes the malicious 'q' parameter from the user.
The core of the HQL execution logic resides in com.xpn.xwiki.store.hibernate.query.HqlQueryExecutor. The execute method within this class is where the (potentially malicious) HQL query is run. The patch modifies the timing and context of checks within this method.
The isSafeSelect method in HqlQueryExecutor was responsible for validating the HQL query. Its previous implementation was insufficient and directly contributed to the vulnerability by allowing malicious queries to pass as safe. The patch completely overhauled its validation logic. These functions would appear in a runtime profile during exploitation: the REST method receives the input, and HqlQueryExecutor.execute (which internally relies on the logic previously in isSafeSelect for validation) executes it.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is possi*l* *or * r*mot* un*ut**nti**t** us*r to *s**p* *rom t** *QL *x**ution *ont*xt *n* p*r*orm * *lin* SQL inj**tion to *x**ut* *r*itr*ry SQL st*t*m*nts on t** **t***s* ***k*n*, in*lu*in* w**n "Pr*v*nt unr**ist*r** us*rs *rom vi*wi

Reasoning

T** vuln*r**ility is *n SQL inj**tion in t** *QL qu*ry *n*point o* t** XWiki R*ST *PI. T** *n*lysis *o*us** on t** provi*** *ommit `****************************************`. *. T** R*ST *PI l*y*r, sp**i*i**lly * m*t*o* lik* `****ultQu*ryR*sour**.**t

9.8

Basic Information

Concerned about an active attack path?

CVE-2025-32969: org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API

Impact

Patches

Workarounds

References

For more information

Attribution

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI