CVE-2025-49584
XWiki makes title of inaccessible pages available through the class property values REST API
Description
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page.
INFO
Published Date :
June 13, 2025, 6:15 p.m.
Last Modified :
Sept. 3, 2025, 5:48 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | HIGH | [email protected] |
Solution
- Update to XWiki 16.4.7 or later.
- Update to XWiki 16.10.3 or later.
- Update to XWiki 17.0.0 or later.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-49584.
| URL | Resource |
|---|---|
| https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec | Patch |
| https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv | Vendor Advisory |
| https://jira.xwiki.org/browse/XWIKI-22736 | Exploit Issue Tracking Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-49584 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-49584
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-49584 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2025-49584 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Sep. 03, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Added CPE Configuration OR *cpe:2.3:a:xwiki:xwiki:17.0.0:rc1:*:*:*:*:*:* *cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* versions from (including) 16.5.0 up to (excluding) 16.10.3 *cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* versions from (including) 10.9 up to (excluding) 16.4.7 Added Reference Type GitHub, Inc.: https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec Types: Patch Added Reference Type GitHub, Inc.: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv Types: Vendor Advisory Added Reference Type GitHub, Inc.: https://jira.xwiki.org/browse/XWIKI-22736 Types: Exploit, Issue Tracking, Vendor Advisory -
New CVE Received by [email protected]
Jun. 13, 2025
Action Type Old Value New Value Added Description XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-201 Added Reference https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec Added Reference https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv Added Reference https://jira.xwiki.org/browse/XWIKI-22736