CVE-2025-24893: XWiki Platform allows remote code execution as guest via SolrSearchMacros request

February 20, 2025

Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation.

References

github.com/advisories/GHSA-rr6p-3pfg-562j
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml
github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm
github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40
github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j
jira.xwiki.org/browse/XWIKI-22149
nvd.nist.gov/vuln/detail/CVE-2025-24893

Detect and mitigate CVE-2025-24893 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →