10

CVSS Score

Basic Information

CVE ID

CVE-2025-53836

GHSA ID

GHSA-32mf-57h2-64x9

EPSS Score

CWE

CWE-94

Published

7/14/2025

Updated

7/15/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53836

CVE-2025-53836:
XWiki Rendering is vulnerable to RCE attacks when processing nested macros

Impact

The default macro content parser didn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. The following XWiki syntax, when used inside a comment in XWiki, demonstrates the privilege escalation from comment right to programming right and thus remote code execution (RCE) that is possible due to this:

{{cache}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/cache}}

This vulnerability exists since the restricted attribute has been added to the transformation context in version 4.2.

Patches

This has been patched in XWiki 13.10.11, 14.4.7 and 14.10.

Workarounds

To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.

Resources

https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d
https://jira.xwiki.org/browse/XRENDERING-689
https://jira.xwiki.org/browse/XWIKI-20375

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

This vulnerability has been reported on Intigriti by René de Sain @renniepak.

(GitHub Advisory)

10

CVSS Score

Basic Information

CVE ID

CVE-2025-53836

GHSA ID

GHSA-32mf-57h2-64x9

EPSS Score

CWE

CWE-94

Published

7/14/2025

Updated

7/15/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.rendering:xwiki-rendering-transformation-macro	maven	>= 4.2-milestone-1, < 13.10.11	13.10.11
org.xwiki.rendering:xwiki-rendering-transformation-macro	maven	>= 14.0, < 14.4.7	14.4.7
org.xwiki.rendering:xwiki-rendering-transformation-macro	maven	>= 14.5, < 14.10	14.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch commit c73fa3ccd4ac59057e48e5d4325f659e78e8f86d clearly indicates that the vulnerability is located in the DefaultMacroContentParser.java file. The core of the issue is within the createXDOM method. The vulnerability description states that the 'restricted' attribute of the transformation context was not preserved when processing nested macros. The patch confirms this by modifying the instantiation of TransformationContext. The original, vulnerable code (TransformationContext txContext = new TransformationContext(result, syntax);) created a new context that would not be restricted by default. The patch introduces logic to check the parent context's restricted status and pass it to the new context (new TransformationContext(result, syntax, isRestricted)). This change directly addresses the described vulnerability. Therefore, the createXDOM function is the vulnerable function, as it was responsible for creating the insecure nested execution context that could lead to Remote Code Execution (RCE).

Vulnerable functions

org.xwiki.rendering.internal.macro.DefaultMacroContentParser.createXDOM

xwiki-rendering-transformations/xwiki-rendering-transformation-macro/src/main/java/org/xwiki/rendering/internal/macro/DefaultMacroContentParser.java

The vulnerability lies in the `createXDOM` function, which is responsible for parsing and executing the content of a macro. Before the patch, when creating a new transformation context for nested content, it used `new TransformationContext(result, syntax)`, which does not preserve the 'restricted' status from the parent macro's context. This allowed a nested macro to execute with elevated privileges, bypassing security restrictions. The patch fixes this by explicitly checking if the parent context is restricted (`wrappingContext.isRestricted()`) and propagating this flag to the new `TransformationContext`.

WAF Protection Rules

WAF Rule

### Imp**t T** ****ult m**ro *ont*nt p*rs*r *i*n't pr*s*rv* t** r*stri*t** *ttri*ut* o* t** tr*ns*orm*tion *ont*xt w**n *x**utin* n*st** m**ros. T*is *llows *x**utin* m**ros t**t *r* norm*lly *or*i***n in r*stri*t** mo**, in p*rti*ul*r s*ript m**ros

Reasoning

T** *n*lysis o* t** provi*** p*t** *ommit `****************************************` *l**rly in*i**t*s t**t t** vuln*r**ility is lo**t** in t** `****ultM**ro*ont*ntP*rs*r.j*v*` *il*. T** *or* o* t** issu* is wit*in t** `*r**t*X*OM` m*t*o*. T** vuln*r

10

Basic Information

Concerned about an active attack path?

CVE-2025-53836: XWiki Rendering is vulnerable to RCE attacks when processing nested macros

Impact

Patches

Workarounds

Resources

For more information

Attribution

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-53836:
XWiki Rendering is vulnerable to RCE attacks when processing nested macros

Vulnerability Intelligence
Miggo AI