CVE-2025-54385: XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API
(updated )
It’s possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY.
The XWiki#searchDocuments APIs are not sanitizing the query at all and even if they force a specific select, Hibernate allows using any native function in an HQL query (for example in the WHERE).
References
- docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html
- github.com/advisories/GHSA-p9qm-p942-q3w5
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/7313dc9b533c70f14b7672379c8b3b63d1fd8f51
- github.com/xwiki/xwiki-platform/commit/7c4087d44ac550610b2fa413dd4f5375409265a5
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5
- jira.xwiki.org/browse/XWIKI-22728
- nvd.nist.gov/vuln/detail/CVE-2025-54385
- www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.6
Code Behaviors & Features
Detect and mitigate CVE-2025-54385 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →