Miggo Logo
Miggo Vulnerability Database
CVE-2025-52472

CVE-2025-52472: XWiki Platform is vulnerable to HQL injection via wiki and space search REST API

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-52472
GHSA ID
GHSA-gprp-h92g-gc2h
EPSS Score
-
CWE
CWE-89
Published
10/6/2025
Updated
10/6/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.xwiki.platform:xwiki-platform-rest-servermaven>= 17.0.0-rc-1, < 17.4.217.4.2
org.xwiki.platform:xwiki-platform-rest-servermaven>= 4.3-milestone-1, < 16.10.916.10.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is an HQL injection flaw within the XWiki Platform's REST API, specifically in functions that handle searching and historical data retrieval. The root cause is the improper construction of HQL queries where user-controlled parameters, orderField and order, were concatenated directly into the query string for sorting purposes without adequate sanitization.

The analysis of the provided patches shows two main areas of weakness:

  1. orderField Injection: In search-related functions like DatabaseKeywordSearchSource.searchPages and DatabaseKeywordSearchSource.searchObjects, the orderField parameter was used to specify a field for sorting. The patch introduced a check to ensure this field name is alphanumeric. Before this, an attacker could supply a malicious HQL snippet in orderField, which would be embedded into the query, leading to arbitrary HQL execution.
  2. order Injection: In several resource implementation classes (ModificationsResourceImpl, PageHistoryResourceImpl, PageTranslationHistoryResourceImpl), the order parameter (meant for 'asc' or 'desc') was used directly in the query. The patch replaces the direct usage with a call to a new utility function, HqlQueryUtils.getValidQueryOrder, which strictly validates the input.

By identifying the functions where these parameters were used insecurely, we can pinpoint the exact locations in the code that are vulnerable. During an exploit, these functions would be present in the runtime profile as they are responsible for processing the malicious request and constructing the injected HQL query.

Vulnerable functions

org.xwiki.rest.internal.resources.DatabaseKeywordSearchSource.searchPages
xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/DatabaseKeywordSearchSource.java
The 'orderField' parameter, taken from user-controlled options, is used to construct an HQL query's ORDER BY clause. The patch adds a check to ensure 'orderField' is alphanumeric. Before this change, a crafted string could be passed in 'orderField' to inject arbitrary HQL, as the query was not executed with the secure query manager by default.
org.xwiki.rest.internal.resources.DatabaseKeywordSearchSource.searchObjects
xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/DatabaseKeywordSearchSource.java
Similar to the 'searchPages' function, this method was vulnerable to HQL injection through the 'orderField' parameter. The parameter was used to build the ORDER BY clause of a query without proper validation. The patch mitigates this by checking if 'orderField' is alphanumeric and using a more secure query manager if it is not.
org.xwiki.rest.internal.resources.BaseSearchResult.searchPages
xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/BaseSearchResult.java
This function constructs an HQL query for searching pages. It used the `orderField` and `order` parameters from the request to build the `ORDER BY` clause. Before the patch, the `orderField` was not sanitized, allowing an attacker to inject HQL code. The patch now uses a secure query manager and validates the `order` parameter.
org.xwiki.rest.internal.resources.ModificationsResourceImpl.getModifications
xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/ModificationsResourceImpl.java
This function was vulnerable to HQL injection via the 'order' parameter, which was directly used in constructing the query's ORDER BY clause without validation. The patch introduces the use of 'HqlQueryUtils.getValidQueryOrder' to ensure the 'order' parameter is safe.
org.xwiki.rest.internal.resources.pages.PageHistoryResourceImpl.getPageHistory
xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/pages/PageHistoryResourceImpl.java
This function was vulnerable to HQL injection via the 'order' parameter. The parameter was directly concatenated into the HQL query string for sorting results, allowing for manipulation of the query. The patch fixes this by validating the 'order' parameter.
org.xwiki.rest.internal.resources.pages.PageTranslationHistoryResourceImpl.getPageTranslationHistory
xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/pages/PageTranslationHistoryResourceImpl.java
Similar to other history-related resources, this function was vulnerable to HQL injection through the 'order' parameter, which was used without validation in the ORDER BY clause of a query. The patch applies the same fix by using a utility function to validate the parameter.

WAF Protection Rules

WAF Rule

### Imp**t T** R*ST s**r** URL is vuln*r**l* to *QL inj**tion vi* t** `or**r*i*l*` p*r*m*t*r. T** sp**i*i** v*lu* is ***** twi** in t** qu*ry, t*ou**, on** in t** *i*l* list *or t** s*l**t *n* on** in t** or**r *l*us*, so it's not t**t **sy to *xplo

Reasoning

T** vuln*r**ility is *n *QL inj**tion *l*w wit*in t** XWiki Pl*t*orm's R*ST *PI, sp**i*i**lly in *un*tions t**t **n*l* s**r**in* *n* *istori**l **t* r*tri*v*l. T** root **us* is t** improp*r *onstru*tion o* *QL qu*ri*s w**r* us*r-*ontroll** p*r*m*t*r