CVE-2025-52472: XWiki Platform is vulnerable to HQL injection via wiki and space search REST API
The REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it’s not that easy to exploit. The part of the query between the two fields can be enclosed in single quotes to effectively remove them, but the query still needs to remain valid with the query two times in it.
For example, with the following orderField parameter:
References
- github.com/advisories/GHSA-gprp-h92g-gc2h
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/743ebf8696ffa55161ed2c5ecf26b09f69e6bcf1
- github.com/xwiki/xwiki-platform/commit/a45eca2af772abb7324e56d7fd2df1ac937bc445
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-gprp-h92g-gc2h
- jira.xwiki.org/browse/XWIKI-23247
- nvd.nist.gov/vuln/detail/CVE-2025-52472
Code Behaviors & Features
Detect and mitigate CVE-2025-52472 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →