Cyber Resilience

CVE-2025-29924

High

Published: 19 March 2025

Published
19 March 2025
Modified
30 April 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 57.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29924 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-29924 is an authorization bypass vulnerability in the XWiki Platform, a generic wiki platform. It affects versions prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, specifically impacting subwikis configured with rights options such as "Prevent unregistered users to view pages" or "Prevent unregistered users to edit pages." The flaw allows unauthorized access to private information through the REST API or potentially other APIs, bypassing these restrictions.

Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By directly accessing a protected page via the REST API without credentials—after enabling the relevant subwiki restriction—an attacker can retrieve confidential content, leading to high confidentiality impact. The issue stems from improper privilege management (CWE-269) and incorrect authorization (CWE-863).

Patches are available in XWiki 15.10.14, 16.4.6, and 16.10.0-rc-1, as detailed in the GitHub security advisory (GHSA-gq32-758c-3wm3), the fixing commit (5f98bde87288326cf5787604e2bb87836875ed0e), and XWiki JIRA ticket XWIKI-22640. Security practitioners should upgrade affected subwikis immediately and verify configurations to ensure the vulnerability is not detectable by unauthenticated REST API requests to protected pages.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub…

more

wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in public-facing XWiki platform enables direct exploitation of the web application via REST API to access restricted content without authentication, mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29926Same product: Xwiki Xwiki
CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-32429Same product: Xwiki Xwiki
CVE-2025-24893Same product: Xwiki Xwiki
CVE-2025-53836Same product: Xwiki Xwiki
CVE-2025-55747Same product: Xwiki Xwiki
CVE-2026-33229Same product: Xwiki Xwiki
CVE-2025-53835Same product: Xwiki Xwiki
CVE-2025-51991Same product: Xwiki Xwiki
CVE-2025-23025Same product: Xwiki Xwiki

Affected Assets

xwiki
xwiki
6.1 — 15.10.14 · 16.0.0 — 16.4.6 · 16.5.0 — 16.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations, directly countering the authorization bypass that allows unauthenticated REST API access to private subwiki pages.

prevent

AC-14 restricts and monitors actions permitted without identification or authentication, preventing unauthorized access to sensitive information via unauthenticated API calls as in this CVE.

preventrecover

SI-2 requires timely flaw remediation, directly mitigating this vulnerability through application of available patches in affected XWiki versions.

References