CVE-2025-29924 - Unauthorized Access to Private Pages in XWiki Platform through REST API & Other APIs

XWiki Platform is a widely-used, versatile wiki platform that offers various features for managing and organizing content. However, a recently discovered vulnerability, identified as CVE-2025-29924, threatens the privacy of user data on subwikis that enable certain right options. This article will provide details on the vulnerability, describe how to reproduce it, and offer recommendations for addressing the issue.

CVE-2025-29924: Vulnerability Details

This vulnerability affects XWiki versions prior to 15.10.14, 16.4.6, and 16.10.-RC-1, particularly in subwikis that enable right options such as "Prevent unregistered users to view pages" or "Prevent unregistered users to edit pages." An attacker can exploit this vulnerability to gain unauthorized access to private information through the REST API and potentially other APIs. Note that this issue only impacts subwikis and not the main wiki.

Code Snippet

To access a private page through the REST API, an attacker could use the following curl command as an example:

curl -X GET "https://your-xwiki-instance.com/xwiki/rest/wikis/subwiki/spaces/Space/pages/Page"; -H "accept: application/ld+json"

Replace your-xwiki-instance.com, subwiki, Space, and Page with the appropriate values for your XWiki instance.

Patch & Recommendations

XWiki has already addressed this issue in versions 15.10.14, 16.4.6, and 16.10.-RC-1. Users are strongly advised to update their XWiki instances to one of these patched versions as soon as possible. You can find the official release notes and download links for these versions in the following references:

- XWiki 15.10.14 Release Notes
- XWiki 16.4.6 Release Notes
- XWiki 16.10.-RC1 Release Notes

Additionally, it is essential to apply all recommended security configurations and guidelines provided in the XWiki documentation to secure your wiki platform against other potential vulnerabilities.

Conclusion

By exploiting CVE-2025-29924, attackers can gain unauthorized access to private information on XWiki subwikis. It is critical for XWiki administrators to take immediate action by updating their instances to the latest patched versions and implementing robust security measures to safeguard their platform from data breaches.

Timeline

Published on: 03/19/2025 18:15:25 UTC
Last modified on: 03/19/2025 20:15:19 UTC