CVE-2025-24893: XWiki Platform allows remote code execution as guest via SolrSearchMacros request
Any guest can perform arbitrary remote code execution through a request to SolrSearch
. This impacts the confidentiality, integrity and availability of the whole XWiki installation.
References
- github.com/advisories/GHSA-rr6p-3pfg-562j
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml
- github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm
- github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j
- jira.xwiki.org/browse/XWIKI-22149
- nvd.nist.gov/vuln/detail/CVE-2025-24893
Detect and mitigate CVE-2025-24893 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →