CVE-2025-32783: Unregistered users can see "public" messages from a closed wiki via notifications from a different wiki

April 16, 2025 (updated April 17, 2025)

This vulnerability impacts users of a subwiki of XWiki where Message Stream is enabled and use, if they configured their wiki to be closed by selecting “Prevent unregistered users to view pages” in the Administrations Rights.

The vulnerability is that any message sent in a subwiki to “everyone” is actually sent to the farm: any visitor of the main wiki will be able to see that message through the Dashboard, even if the subwiki is configured to be private.

References

github.com/advisories/GHSA-42fh-pvvh-999x
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/security/advisories/GHSA-42fh-pvvh-999x
jira.xwiki.org/browse/XWIKI-17154
nvd.nist.gov/vuln/detail/CVE-2025-32783

Code Behaviors & Features

Detect and mitigate CVE-2025-32783 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →