CVE-2025-54385
Published: 26 July 2025
Summary
CVE-2025-54385 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly addresses the improper input validation in XWiki#searchDocuments APIs by requiring sanitization of HQL queries to block arbitrary SQL injections via Oracle functions like DBMS_XMLGEN in the WHERE clause.
SI-2 mandates timely installation of vendor patches, such as XWiki 16.10.6 or 17.3.0-rc-1, which fix the unsanitized query passing to Hibernate.
SI-9 restricts information inputs at API boundaries to known safe patterns, mitigating injection of malicious HQL code even if full validation is incomplete.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote SQL injection in public-facing XWiki web platform APIs enables arbitrary query execution on backend database.
NVD Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the…
more
function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1.
Deeper analysisAI
CVE-2025-54385 is a high-severity SQL injection vulnerability (CVSS 9.8) in the XWiki Platform, a generic wiki platform providing runtime services for applications. It affects versions from 17.0.0-rc1 to 17.2.2 and 16.10.5 and below, specifically in the XWiki#searchDocuments APIs. These APIs pass queries directly to Hibernate without sanitization, enabling attackers to execute arbitrary SQL queries on Oracle databases by leveraging native HQL function support, such as DBMS_XMLGEN or DBMS_XMLQUERY. Even when a specific SELECT clause is enforced, malicious code can be injected through other query parts like the WHERE clause (CWE-20: Improper Input Validation).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation allows execution of any SQL query, potentially leading to high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), such as data exfiltration, modification, or denial of service on the underlying Oracle database.
XWiki has addressed the issue in versions 16.10.6 and 17.3.0-rc-1, with fixes implemented via sanitization improvements in the affected APIs, as detailed in GitHub commits 7313dc9b533c70f14b7672379c8b3b63d1fd8f51 and 7c4087d44ac550610b2fa413dd4f5375409265a5. The security advisory GHSA-p9qm-p942-q3w5 and JIRA ticket XWIKI-22728 provide further details on the patch, recommending immediate upgrades for affected deployments using Oracle backends.
Details
- CWE(s)