CVE-2025-32969: org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.90023%
CWE
Published
4/23/2025
Updated
4/30/2025
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-rest-server | maven | >= 1.8, < 15.10.16 | 15.10.16 |
| org.xwiki.platform:xwiki-platform-rest-server | maven | >= 16.0.0-rc-1, < 16.4.6 | 16.4.6 |
| org.xwiki.platform:xwiki-platform-rest-server | maven | >= 16.5.0-rc-1, < 16.10.1 | 16.10.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is an SQL injection in the HQL query endpoint of the XWiki REST API. The analysis focused on the provided commit 5c11a874bd24a581f534d283186e209bbccd8113.
- The REST API layer, specifically a method like
DefaultQueryResource.getResults(inferred from the vulnerability path/rest/wikis/xwiki/queryand the patch toAbstractDatabaseSearchSource.javawhich is in the same REST server module), is the entry point that processes the malicious 'q' parameter from the user. - The core of the HQL execution logic resides in
com.xpn.xwiki.store.hibernate.query.HqlQueryExecutor. Theexecutemethod within this class is where the (potentially malicious) HQL query is run. The patch modifies the timing and context of checks within this method. - The
isSafeSelectmethod inHqlQueryExecutorwas responsible for validating the HQL query. Its previous implementation was insufficient and directly contributed to the vulnerability by allowing malicious queries to pass as safe. The patch completely overhauled its validation logic. These functions would appear in a runtime profile during exploitation: the REST method receives the input, andHqlQueryExecutor.execute(which internally relies on the logic previously inisSafeSelectfor validation) executes it.