Cyber Resilience

CVE-2025-29925

HighPublic PoC

Published: 19 March 2025

Published
19 March 2025
Modified
30 April 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0115 78.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29925 is a high-severity Resource Leak (CWE-402) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform, a generic wiki platform, contains an information disclosure vulnerability in its REST API prior to versions 15.10.14, 16.4.6, and 16.10.0-rc-1. The endpoint /rest/wikis/[wikiName]/pages returns a list of pages without enforcing view rights checks, exposing protected content even when the wiki is configured with restrictions such as "Prevent unregistered user to view pages." The flaw is tracked under CWE-402 and carries a CVSS 4.0 score of 8.7 reflecting network-accessible confidentiality impact without authentication.

An unauthenticated attacker can issue a simple HTTP request to the affected REST endpoint and enumerate page titles and structures that should remain hidden. This allows discovery of sensitive or internal wiki content across the main wiki, providing a foothold for further targeted attacks without triggering standard access controls.

The official XWiki advisory and linked commits indicate that the patched releases continue to accept requests to the endpoint but now filter results according to the caller's page-level permissions. Administrators are advised to upgrade to one of the fixed versions; no other workarounds are documented in the references.

EPSS remains low at 0.0115 with no significant post-disclosure increase observed.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki…

more

is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
1.9 — 15.10.14 · 16.0.0 — 16.4.6 · 16.5.0 — 16.10.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References