CVE-2025-29924: XWiki uses the wrong wiki reference in AuthorizationManager

March 19, 2025 (updated April 30, 2025)

It’s possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using “Prevent unregistered users to view pages”. The vulnerability only affects subwikis, and it only concerns specific right options such as “Prevent unregistered users to view pages”. or “Prevent unregistered users to edit pages”.

It’s possible to detect the vulnerability by enabling “Prevent unregistered users to view pages” and then trying to access a page through the REST API without using any credentials.

References

github.com/advisories/GHSA-gq32-758c-3wm3
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e
github.com/xwiki/xwiki-platform/security/advisories/GHSA-gq32-758c-3wm3
jira.xwiki.org/browse/XWIKI-22640
nvd.nist.gov/vuln/detail/CVE-2025-29924

Code Behaviors & Features

Detect and mitigate CVE-2025-29924 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →