5.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-58049

GHSA ID

GHSA-9m7c-m33f-3429

EPSS Score

CWE

CWE-212

Published

8/28/2025

Updated

8/28/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-58049

CVE-2025-58049: XWiki PDF export jobs store sensitive cookies unencrypted in job statuses

Impact

The PDF export uses a background job that runs on the server-side. Jobs like this have a status that is serialized in the permanent directory when the job is finished. The job status includes the job request. The PDF export job request is initialized, before the job starts, with some context information that is needed to replicate the HTTP request (used to trigger the export) in the background thread used to run the export job. This context information includes the cookies from the HTTP request that triggered the export. As a result, the user cookies (including the encrypted username and password) are stored in the permanent directory after the PDF export is finished. As the encryption key is stored in the same data directory (by default it is generated in data/configuration.properties), this means that this job status contains the equivalent of the plain text password of the user who requested the PDF export.

XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory.

Patches

This vulnerability has been patched in XWiki 16.4.8, 16.10.7 and 17.4.0RC1.

Workarounds

We're not aware of any workarounds except for upgrading.

(GitHub Advisory)

5.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-58049

GHSA ID

GHSA-9m7c-m33f-3429

EPSS Score

CWE

CWE-212

Published

8/28/2025

Updated

8/28/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-export-pdf-api	maven	>= 14.4.2, < 16.4.8	16.4.8
org.xwiki.platform:xwiki-platform-export-pdf-api	maven	>= 16.5.0-rc-1, < 16.10.7	16.10.7
org.xwiki.platform:xwiki-platform-export-pdf-api	maven	>= 17.0.0-rc-1, < 17.4.0-rc-1	17.4.0-rc-1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security advisory and the associated patch commit 60982ad0057b1701ed8297f28cad35d170686539 clearly indicates the source of the vulnerability. The vulnerability description explains that sensitive user cookies are stored in the serialized status of a PDF export job. The patch addresses this by introducing a cleanup() method within the PDFExportJob.java file. This new method is explicitly designed to remove sensitive keys such as request.session, request.headers, and request.cookies from the job's request context. The runInternal() method, which orchestrates the PDF export, was modified to guarantee the execution of this cleanup() method by placing it in a finally block. Therefore, the runInternal() function is identified as the vulnerable function because, before the patch, it was responsible for the process that left sensitive data in a stored state. When a user triggers a PDF export, this function would be on the execution stack, and its failure to sanitize the job context is the root cause of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** P** *xport us*s * ***k*roun* jo* t**t runs on t** s*rv*r-si**. Jo*s lik* t*is **v* * st*tus t**t is s*ri*liz** in t** p*rm*n*nt *ir**tory w**n t** jo* is *inis***. T** jo* st*tus in*lu**s t** jo* r*qu*st. T** P** *xport jo* r*qu*st is

Reasoning

T** *n*lysis o* t** s**urity **visory *n* t** *sso*i*t** p*t** *ommit `****************************************` *l**rly in*i**t*s t** sour** o* t** vuln*r**ility. T** vuln*r**ility **s*ription *xpl*ins t**t s*nsitiv* us*r *ooki*s *r* stor** in t** s

5.8

Basic Information

Concerned about an active attack path?

CVE-2025-58049: XWiki PDF export jobs store sensitive cookies unencrypted in job statuses

Impact

Patches

Workarounds

5.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI