CVE-2025-29924 - XWiki SubWiki Privacy Flaw Exposes Private Pages via REST API

Summary:
A new vulnerability, CVE-2025-29924, has been found in XWiki Platform, a popular open-source wiki system. Before versions 15.10.14, 16.4.6, and 16.10.-rc-1, users could bypass restrictions and access private information via the REST API, even when the subwiki was set to "Prevent unregistered users to view pages." This post explains how the flaw works, how to test for it, and the steps XWiki admins must take to secure their instances.

What’s the Problem?

XWiki offers an option in subwikis to block unregistered users from viewing or editing pages. But until the latest patches, an attacker could still see or extract private info using the REST API, or possibly another API. This bug only impacts subwikis (wikis within wikis) and only when special privacy options are set to restrict guests.

"Prevent unregistered users to edit pages"

Admins rely on these settings to control who can see or edit wiki pages if they’re not logged in. But the check didn't work with REST API requests on subwikis.

Details & Exploit

The REST API is meant for programmatic access—like integrating with other tools. But with this bug, even *guests* (not logged-in) could fetch private content from a protected subwiki via a simple HTTP request.

Imagine this is your subwiki URL

https://xwiki.example.com/xwiki/wiki/subwiki/

The following unauthenticated GET request to the REST API returns content for SecretPage

curl "https://xwiki.example.com/xwiki/rest/wikis/subwiki/spaces/Main/pages/SecretPage";

*Without any credentials*, you might get content like

<page>
  <id>subwiki:Main.SecretPage</id>
  <title>Secret Data</title>
  <content>This is confidential info visible via REST API</content>
  ...
</page>

Even though the same page is blocked for guests in the web interface!

`bash

curl "https://xwiki.example.com/xwiki/rest/wikis/subwiki/spaces/Main/pages/HiddenStuff"

If you see page content, you are vulnerable.

Important: This bug does not affect the main wiki, only subwikis with restricted settings.

Upgrade immediately to one of these versions

- 15.10.14
- 16.4.6
- 16.10.-rc-1

After upgrading

- Test the REST API (as shown above) to make sure unauthenticated requests are denied (should return 401/403).

More References

- XWiki Security Advisory
- CVE-2025-29924 at MITRE (NVD)
- XWiki Release Notes
- Official REST API Docs

Test your wikis with both browser and API requests.

Bottom line: If you run XWiki subwikis and care about privacy, patch for CVE-2025-29924 now!


*This article is exclusive to this post. For questions or more details, check out XWiki.org or join the XWiki user forums.*

Timeline

Published on: 03/19/2025 18:15:25 UTC
Last modified on: 04/30/2025 15:58:41 UTC