CVE-2025-32429
Published: 24 July 2025
Summary
CVE-2025-32429 is a critical-severity SQL Injection (CWE-89) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
XWiki Platform versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2 contain a SQL injection vulnerability (CWE-89) in the getdeleteddocuments.vm template. The sort parameter is concatenated directly into an ORDER BY clause without sanitization or parameterization, allowing arbitrary SQL to be supplied through this input.
An unauthenticated remote attacker can exploit the flaw over the network by supplying a malicious sort value in a request to the affected template. Successful exploitation grants full control over the database query, enabling extraction, modification, or deletion of data and potentially leading to complete compromise of the confidentiality, integrity, and availability of the XWiki instance.
The vulnerability is resolved in XWiki 16.10.6 and 17.3.0-rc-1. Official patches are documented in the GitHub security advisory GHSA-vr59-gm53-v7cq and the linked commits that introduce proper parameterization of the ORDER BY clause; administrators are advised to upgrade promptly.
The associated EPSS score reached a peak of 0.3813 after disclosure before settling at 0.3491, indicating a clear rise in observed exploitation interest following public release of the CVE.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22551
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm.…
more
It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in public-facing XWiki web application directly matches exploitation of public-facing apps (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation and sanitization of the user-supplied 'sort' parameter before its use in the database ORDER BY clause.
Remediates the vulnerability by identifying, testing, and deploying the vendor patch that fixes the unsanitized injection in getdeleteddocuments.vm.
Identifies the SQL injection flaw through vulnerability scanning, enabling proactive patching before exploitation.