CVE-2025-29924
Published: 19 March 2025
Summary
CVE-2025-29924 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Xwiki Xwiki. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations, directly countering the authorization bypass that allows unauthenticated REST API access to private subwiki pages.
AC-14 restricts and monitors actions permitted without identification or authentication, preventing unauthorized access to sensitive information via unauthenticated API calls as in this CVE.
SI-2 requires timely flaw remediation, directly mitigating this vulnerability through application of available patches in affected XWiki versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing XWiki platform enables direct exploitation of the web application via REST API to access restricted content without authentication, mapping to T1190 Exploit Public-Facing Application.
NVD Description
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub…
more
wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1.
Deeper analysisAI
CVE-2025-29924 is an authorization bypass vulnerability in the XWiki Platform, a generic wiki platform. It affects versions prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, specifically impacting subwikis configured with rights options such as "Prevent unregistered users to view pages" or "Prevent unregistered users to edit pages." The flaw allows unauthorized access to private information through the REST API or potentially other APIs, bypassing these restrictions.
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By directly accessing a protected page via the REST API without credentials—after enabling the relevant subwiki restriction—an attacker can retrieve confidential content, leading to high confidentiality impact. The issue stems from improper privilege management (CWE-269) and incorrect authorization (CWE-863).
Patches are available in XWiki 15.10.14, 16.4.6, and 16.10.0-rc-1, as detailed in the GitHub security advisory (GHSA-gq32-758c-3wm3), the fixing commit (5f98bde87288326cf5787604e2bb87836875ed0e), and XWiki JIRA ticket XWIKI-22640. Security practitioners should upgrade affected subwikis immediately and verify configurations to ensure the vulnerability is not detectable by unauthenticated REST API requests to protected pages.
Details
- CWE(s)