CVE-2025-53835: XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax
(updated )
The XHTML syntax depended on the xdom+xml/current syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). The attack works by setting the document’s syntax to xdom+xml/current and then inserting content like
<document><p><metadata><metadata><entry><string>syntax</string><org.xwiki.rendering.syntax.Syntax><type><name>XHTML</name><id>xhtml</id><variants class="empty-list"></variants></type><version>5</version></org.xwiki.rendering.syntax.Syntax></entry></metadata></metadata></p><rawtext syntax="html/5.0" content="<script>alert(1);</script>"></rawtext></document>
This has been fixed by removing the dependency on the xdom+xml/current syntax from the XHTML syntax. Note that the xdom+xml syntax is still vulnerable to this attack. As it’s main purpose is testing and its use is quite difficult, this syntax shouldn’t be installed or used on a regular wiki. We’re currently not aware of any further dependencies on it.
References
- github.com/advisories/GHSA-w3wh-g4m9-783p
- github.com/xwiki/xwiki-rendering
- github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7
- github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p
- jira.xwiki.org/browse/XRENDERING-660
- nvd.nist.gov/vuln/detail/CVE-2025-53835
Code Behaviors & Features
Detect and mitigate CVE-2025-53835 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →