CVE-2025-49587: XWiki does not require right warnings for notification displayer objects

June 13, 2025

When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful.

References

github.com/advisories/GHSA-j7p2-87q3-44w7
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d
github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7
jira.xwiki.org/browse/XWIKI-22470
nvd.nist.gov/vuln/detail/CVE-2025-49587

Code Behaviors & Features

Detect and mitigate CVE-2025-49587 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →