CVE-2025-54385
Published: 26 July 2025
Summary
CVE-2025-54385 is a high-severity Improper Input Validation (CWE-20) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
XWiki Platform versions 17.0.0-rc1 through 17.2.2 and 16.10.5 and earlier contain an injection flaw in the XWiki#searchDocuments APIs. These methods forward HQL queries to Hibernate without sanitization, allowing attackers to invoke Oracle-specific functions such as DBMS_XMLGEN and DBMS_XMLQUERY inside the WHERE clause even when the SELECT portion is restricted by the API. The issue is tracked as CWE-20 and carries a CVSS 4.0 score of 8.6.
An authenticated user with administrative privileges can supply crafted HQL that executes arbitrary SQL statements against an Oracle-backed XWiki instance, resulting in full read, write, and delete access to the database contents. Because the injection occurs after the enforced SELECT clause, standard query restrictions do not prevent the attack.
The vulnerability is resolved in XWiki 16.10.6 and 17.3.0-rc-1. The project advisory GHSA-p9qm-p942-q3w5 and the linked commits detail the input-validation changes applied to the searchDocuments methods. EPSS remains low with only a minor increase between its recorded values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22764
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the…
more
function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote SQL injection in public-facing XWiki web platform APIs enables arbitrary query execution on backend database.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the improper input validation in XWiki#searchDocuments APIs by requiring sanitization of HQL queries to block arbitrary SQL injections via Oracle functions like DBMS_XMLGEN in the WHERE clause.
SI-2 mandates timely installation of vendor patches, such as XWiki 16.10.6 or 17.3.0-rc-1, which fix the unsanitized query passing to Hibernate.
SI-9 restricts information inputs at API boundaries to known safe patterns, mitigating injection of malicious HQL code even if full validation is incomplete.