CVE-2025-49585: XWiki does not require right warnings for XClass definitions

June 13, 2025

When an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful.

References

github.com/advisories/GHSA-59w6-r9hm-439h
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/385bde985cdb61ebf315d30c0b144b6d2e2c2d45
github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h
jira.xwiki.org/browse/XWIKI-22476
nvd.nist.gov/vuln/detail/CVE-2025-49585

Code Behaviors & Features

Detect and mitigate CVE-2025-49585 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →