CVE-2025-54124: XWiki leaks password hashes and other accessible password properties

August 5, 2025 (updated August 6, 2025)

Any user with edit right on a page of the wiki can create an XClass with a database list property that references a password property, for example the password hash that is stored for users. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view.

References

github.com/advisories/GHSA-r38m-cgpg-qj69
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24
github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69
jira.xwiki.org/browse/XWIKI-22811
nvd.nist.gov/vuln/detail/CVE-2025-54124

Code Behaviors & Features

Detect and mitigate CVE-2025-54124 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →