CVE-2025-32429
Published: 24 July 2025
Summary
CVE-2025-32429 is a critical-severity SQL Injection (CWE-89) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and sanitization of the user-supplied 'sort' parameter before its use in the database ORDER BY clause.
Remediates the vulnerability by identifying, testing, and deploying the vendor patch that fixes the unsanitized injection in getdeleteddocuments.vm.
Identifies the SQL injection flaw through vulnerability scanning, enabling proactive patching before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in public-facing XWiki web application directly matches exploitation of public-facing apps (T1190).
NVD Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm.…
more
It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
Deeper analysisAI
CVE-2025-32429 is a SQL injection vulnerability (CWE-89) in the XWiki Platform, a generic wiki platform providing runtime services for applications. It affects versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2. The flaw occurs in the getdeleteddocuments.vm template, where the user-supplied "sort" parameter is directly injected as an ORDER BY value in a database query without sanitization.
The vulnerability is exploitable by unauthenticated attackers over the network with low complexity and no user interaction required, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Remote attackers can craft malicious payloads in the sort parameter to execute arbitrary SQL commands, potentially extracting sensitive data, modifying database contents, or disrupting service availability.
Mitigation is available via patches in XWiki Platform versions 16.10.6 and 17.3.0-rc-1. The GitHub security advisory (GHSA-vr59-gm53-v7cq), Jira ticket XWIKI-23093, and fix commits (dfd0744e9c18d24ac66a0d261dc6cafd1c209101 and f502b5d5fd36284a50890ad26d168b7d8dc80bd3) provide details on the remediation, urging immediate upgrades for affected instances.
Details
- CWE(s)