CVE-2025-48063
Published: 21 May 2025
Summary
CVE-2025-48063 is a medium-severity Improper Authorization (CWE-285) vulnerability in Xwiki Xwiki. Its CVSS base score is 4.8 (Medium).
Operationally, ranked in the top 10.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki, a generic wiki platform, contains a flaw in its required rights security model that was introduced in version 16.10.0. The model intends to prevent users without a given right from designating that right as required on a document, thereby protecting editors from inadvertently escalating privileges on scripts or objects. A bug in the enforcement logic allows any user possessing only edit rights to designate programming rights as required on a document.
An attacker with edit access can therefore mark a page as requiring programming rights. When a user who holds programming rights subsequently edits the page, the document content receives those rights and can execute arbitrary code. The attack surface remains limited because the vulnerability only becomes exploitable when required rights enforcement is active on all documents, a configuration that affected releases do not expose through any user interface.
The issue is resolved in XWiki 16.10.4 and 17.1.0RC1; the project advisory and associated commits recommend upgrading as the sole mitigation, with no other workarounds identified. The EPSS score remains flat at 0.0488 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16054
Vulnerability details
XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a…
more
right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.
Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.
Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.
The control explicitly requires authorization of each wireless access type prior to permitting connections.
Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.