8.6

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-49582

GHSA ID

GHSA-c32m-27pj-4xcj

EPSS Score

0.52786%

CWE

CWE-357

Published

6/13/2025

Updated

6/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49582

CVE-2025-49582: XWiki's required right warnings for macros are incomplete

Impact

When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren't analyzed at all. Similarly, the "source" parameters of the content and context macro weren't anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution.

Patches

The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0.

Workarounds

We're not aware of any workarounds except for being careful when editing content authored by untrusted users.

References

https://jira.xwiki.org/browse/XWIKI-22763
https://jira.xwiki.org/browse/XWIKI-22759
https://jira.xwiki.org/browse/XWIKI-22758
https://jira.xwiki.org/browse/XWIKI-22799
https://github.com/xwiki/xwiki-platform/commit/abdcefc0db27035b67329add836fd683e0cf92b8
https://github.com/xwiki/xwiki-platform/commit/cc74dc802efe0e2d3fa2ba3355dbadc51c5fd8c7
https://github.com/xwiki/xwiki-platform/commit/0a705e8e253cb871b804e25c53b2bde879c886bd
https://github.com/xwiki/xwiki-platform/commit/3d451e957fe2b14459e9ac64172b4a0e4c46971c

(GitHub Advisory)

8.6

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-49582

GHSA ID

GHSA-c32m-27pj-4xcj

EPSS Score

0.52786%

CWE

CWE-357

Published

6/13/2025

Updated

6/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-rendering-xwiki	maven	>= 15.9-rc-1, < 16.4.7	16.4.7
org.xwiki.platform:xwiki-platform-rendering-xwiki	maven	>= 16.5.0-rc-1, < 16.10.3	16.10.3
org.xwiki.platform:xwiki-platform-rendering-xwiki	maven	>= 17.0.0-rc-1, < 17.0.0	17.0.0
org.xwiki.platform:xwiki-platform-rendering-macro-cache	maven	>= 15.9-rc-1, < 16.4.7	16.4.7
org.xwiki.platform:xwiki-platform-rendering-macro-cache	maven	>= 16.5.0-rc-1, < 16.10.3	16.10.3
org.xwiki.platform:xwiki-platform-rendering-macro-cache	maven	>= 17.0.0-rc-1, < 17.0.0	17.0.0
org.xwiki.platform:xwiki-platform-security-requiredrights-default	maven	>= 15.9-rc-1, < 16.4.7	16.4.7
org.xwiki.platform:xwiki-platform-security-requiredrights-default	maven	>= 16.5.0-rc-1, < 16.10.3	17.0.0
org.xwiki.platform:xwiki-platform-security-requiredrights-default	maven	>= 17.0.0-rc-1, < 17.0.0	17.0.0
org.xwiki.platform:xwiki-platform-rendering-macro-context	maven	>= 15.9-rc-1, < 16.4.7	16.4.7
org.xwiki.platform:xwiki-platform-rendering-macro-context	maven	>= 16.5.0-rc-1, < 16.10.3	16.10.3
org.xwiki.platform:xwiki-platform-rendering-macro-context	maven	>= 17.0.0-rc-1, < 17.0.0	17.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in several XWiki macro rights analyzers having incomplete or flawed logic, allowing attackers to craft macro invocations that bypass proper rights warnings. This could lead to remote code execution if a privileged user edits a page containing such malicious macros.

The specific issues identified and patched were:

Incomplete Parameter Analysis: The DefaultMacroBlockRequiredRightAnalyzer.analyzeWithExceptions method did not sufficiently analyze macro parameters that could themselves contain renderable XWiki syntax. Attackers could hide malicious content in such parameters.
Missing Analysis of 'source' Parameter: The ContextMacroRequiredRightsAnalyzer.analyze method failed to analyze the source parameter of the context macro. This meant content referenced via this parameter (including script variables) was not checked for required rights.
Case-Sensitive Parameter Lookups: Several analyzers, including those for Cache, HTML, and Raw macros (CacheMacroRequiredRightsAnalyzer.analyze, HTMLMacroRequiredRightsAnalyzer.analyze, RawMacroRequiredRightsAnalyzer.analyze), used case-sensitive methods to retrieve critical parameters (e.g., "id", "wiki", "clean", "syntax"). Attackers could use different casings for these parameter names (e.g., "ID", "Wiki") to evade analysis.
Missing Analyzer for 'content' Macro: The vulnerability description also mentions that the 'content' macro's 'source' parameter was not analyzed. This was addressed by adding a new analyzer (ContentMacroRequiredRightsAnalyzer) in commit 0a705e8e253cb871b804e25c53b2bde879c886bd. Since this was a missing component rather than a flawed existing function, its newly added functions are not listed as 'vulnerable' but as the fix.

The patches address these flaws by making parameter analysis more comprehensive, adding checks for previously uninspected parameters like 'source', and ensuring that parameter name lookups are case-insensitive. These changes aim to make the rights warnings more robust and prevent attackers from hiding malicious macro content.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n **itin* *ont*nt t**t *ont*ins "**n**rous" m**ros lik* m*li*ious s*ript m**ros t**t w*r* *ut*or** *y * us*r wit* **w*r ri**ts, XWiki w*rns **out t** *x**ution o* t**s* m**ros sin** XWiki **.*R**. T**s* r*quir** ri**ts *n*lyz*rs t**t tr

Reasoning

T** vuln*r**ility li*s in s*v*r*l XWiki m**ro ri**ts *n*lyz*rs **vin* in*ompl*t* or *l*w** lo*i*, *llowin* *tt**k*rs to *r**t m**ro invo**tions t**t *yp*ss prop*r ri**ts w*rnin*s. T*is *oul* l*** to r*mot* *o** *x**ution i* * privil**** us*r **its *

8.6

Basic Information

Concerned about an active attack path?

CVE-2025-49582: XWiki's required right warnings for macros are incomplete

Impact

Patches

Workarounds

References

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI