CVE-2025-55729
Published: 09 September 2025
Summary
CVE-2025-55729 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Xwiki (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely remediation through upgrading to version 1.26.5, which fixes the missing escaping in the ConfluenceLayoutSection macro.
Mandates validation of user-supplied parameters like ac:type and classes to block XWiki syntax injection leading to remote code execution.
Limits system functionality by disabling unnecessary macros such as ConfluenceLayoutSection when not required for Confluence migration, reducing the attack surface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated XWiki syntax injection leading to arbitrary server-side code execution directly maps to public-facing app exploitation (T1190) and command/scripting interpreter usage (T1059).
NVD Description
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user…
more
who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.
Deeper analysisAI
CVE-2025-55729 is a remote code execution vulnerability in the XWiki Remote Macros extension, specifically the ConfluenceLayoutSection macro within the xwiki-pro-macros-confluence-bridges component. This extension provides XWiki rendering macros for migrating content from Confluence. The issue stems from missing escaping of the ac:type parameter and the classes parameter, which is used without proper escaping in XWiki syntax, enabling XWiki syntax injection. It affects versions from 1.0 up to but not including 1.26.5 and is rated with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), linked to CWE-116 (Improper Encoding or Escaping of Output).
The vulnerability can be exploited remotely by any user capable of editing any page on an affected XWiki instance. Attackers inject malicious XWiki syntax via the unescaped parameters, leading to arbitrary code execution on the server. The CVSS vector indicates no authentication or user interaction is required, with low attack complexity and a changed scope, allowing full compromise of confidentiality, integrity, and availability.
Advisories recommend upgrading to version 1.26.5, which includes a fix via proper escaping of the vulnerable parameters, as detailed in the GitHub security advisory (GHSA-22xj-jpjg-gpgw), the fixing commit (06e6cf3893227527d0242a11e390642178d9df05), the JIRA ticket (XWIKI-20449), and the affected source code location.
Details
- CWE(s)