CVE-2025-53835
Published: 14 July 2025
Summary
CVE-2025-53835 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters information output to web pages to prevent cross-site scripting attacks from arbitrary HTML and JavaScript insertion during XHTML rendering.
Requires timely remediation of flaws like the xdom+xml/current syntax dependency that enables raw blocks and XSS in XWiki Rendering.
Validates textual inputs to wiki documents and profiles to block malicious syntax exploitation leading to raw HTML/JS insertion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored XSS vulnerability (CWE-80) in XWiki Rendering allows low-privileged authenticated users to inject arbitrary JavaScript via editable documents (e.g., user profiles), exploiting the public-facing web application, executing JavaScript in victims' browsers upon viewing, and facilitating theft of web session cookies and browser credentials.
NVD Description
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current`…
more
syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.
Deeper analysisAI
CVE-2025-53835 is a cross-site scripting (XSS) vulnerability in XWiki Rendering, a generic rendering system that converts textual input in various syntaxes (such as wiki syntax or HTML) into output like XHTML. The issue affects versions starting from 5.4.5 and prior to 14.10, where the XHTML syntax depends on the `xdom+xml/current` syntax. This dependency enables the creation of raw blocks that allow insertion of arbitrary HTML content, including JavaScript, leading to XSS attacks.
The vulnerability can be exploited by low-privileged authenticated users (PR:L) who have permission to edit documents, such as their own user profile, which is enabled by default. Attackers can insert malicious raw blocks into editable content, and when other users view or interact with the rendered page (UI:R), the embedded JavaScript executes in the victim's browser context. This network-accessible attack (AV:N) with low complexity (AC:L) has a high impact (CVSS 9.0), achieving high confidentiality, integrity, and availability effects with changed scope (S:C), potentially compromising viewer sessions or data.
Advisories and the patch commit detail mitigation through upgrading to version 14.10, which removes the `xdom+xml/current` syntax dependency from XHTML rendering. No workarounds are available beyond upgrading, and the related `xdom+xml` syntax remains vulnerable but is intended only for testing and should not be used or installed on production wikis. Relevant resources include the fixing commit at https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7, GitHub Security Advisory GHSA-w3wh-g4m9-783p, and XWiki JIRA ticket XRENDERING-660.
Details
- CWE(s)