CVE-2025-32970: org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability

April 29, 2025 (updated April 30, 2025)

An open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirect to any URL. To reproduce, open <xwiki-host>/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://www.example.com/ where <xwiki-host> is the URL of your XWiki installation.

References

github.com/advisories/GHSA-pjhg-9wr9-rj96
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/6dab7909f45deb00efd36a0cd47788e95ad64802
github.com/xwiki/xwiki-platform/security/advisories/GHSA-pjhg-9wr9-rj96
jira.xwiki.org/browse/XWIKI-22487
nvd.nist.gov/vuln/detail/CVE-2025-32970

Code Behaviors & Features

Detect and mitigate CVE-2025-32970 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →