CVE-2025-29925
published 2025-03-19CVE-2025-29925: XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints…
PriorityP180medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.91%
55.3th percentile
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 1.9 < 15.10.14 | 15.10.14 |
| xwiki | xwiki | >= 16.0.0 < 16.4.6 | 16.4.6 |
| xwiki | xwiki | 16.5.0 – 16.10.0 | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlrest/wikis/xwiki/pages?space=
urlxwiki/rest/wikis/xwiki/pages?space=
other<pageSummary
other<pages
- →Probe both URL path variants for the XWiki REST pages endpoint (with and without leading 'xwiki/' prefix) using an unauthenticated GET request; a vulnerable instance returns HTTP 200 with Content-Type containing 'text/xml' or 'text/javascript' and a body containing all three XML tokens: '<pageSummary', '<pages', and '<xwikiRelativeUr'.
- →Shodan fingerprint for exposed XWiki instances: search for HTML attribute 'data-xwiki-reference' in page source.
- →FOFA fingerprint for exposed XWiki instances: search for body containing 'data-xwiki-reference'.
- →The vulnerability is exploitable without authentication (PR:N, UI:N per CVSS); no session or credentials are required to trigger the information disclosure via the REST pages endpoint.
- →The REST endpoint /rest/wikis/[wikiName]/pages leaks page listings even when the wiki is configured with 'Prevent unregistered user to view pages'; monitor for unauthenticated GET requests to this path pattern. ↗
- ·The disclosure only affects the main wiki endpoint; sub-wikis are not impacted by this specific bypass. ↗
- ·Patched versions (15.10.14, 16.4.6, 16.10.0RC1) still expose the endpoint but filter results based on page-level rights; detection rules should account for the endpoint remaining accessible post-patch. ↗
- ·The Nuclei template uses stop-at-first-match across two path payloads, so only one successful probe is needed to confirm vulnerability; both path variants should be tested independently in other tooling.
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki allows unregistered users to access private pages information through REST endpoint
osv·2025-03-19
CVE-2025-29925 [HIGH] XWiki allows unregistered users to access private pages information through REST endpoint
XWiki allows unregistered users to access private pages information through REST endpoint
### Impact
Protected pages are listed when requesting the REST endpoints `/rest/wikis/[wikiName]/pages` even if the user doesn't have view rights on them.
It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639).
### Patches
The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.
### Workarounds
There's no workaround except upgrading or applying manually the changes of the commits (see references) in `xwiki-platform-rest-s
GHSA
XWiki allows unregistered users to access private pages information through REST endpoint
ghsa·2025-03-19
CVE-2025-29925 [HIGH] CWE-402 XWiki allows unregistered users to access private pages information through REST endpoint
XWiki allows unregistered users to access private pages information through REST endpoint
### Impact
Protected pages are listed when requesting the REST endpoints `/rest/wikis/[wikiName]/pages` even if the user doesn't have view rights on them.
It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639).
### Patches
The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.
### Workarounds
There's no workaround except upgrading or applying manually the changes of the commits (see references) in `xwiki-platform-rest-s
VulnCheck
xwiki xwiki Transmission of Private Resources into a New Sphere ('Resource Leak')
vulncheck·2025·CVSS 8.7
CVE-2025-29925 [HIGH] xwiki xwiki Transmission of Private Resources into a New Sphere ('Resource Leak')
xwiki xwiki Transmission of Private Resources into a New Sphere ('Resource Leak')
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.
Affected: xwiki xwiki
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the
No detection rules found.
Nuclei
XWiki REST API - Private Pages Disclosure
nuclei·CVSS 8.7
CVE-2025-29925 [HIGH] XWiki REST API - Private Pages Disclosure
XWiki REST API - Private Pages Disclosure
A vulnerability in XWiki's REST API allows unauthenticated users to access information about private pages through the pages endpoint. This could lead to disclosure of sensitive information and page metadata.
Template:
id: CVE-2025-29925
info:
name: XWiki REST API - Private Pages Disclosure
author: ritikchaddha
severity: high
description: |
A vulnerability in XWiki's REST API allows unauthenticated users to access information about private pages through the pages endpoint. This could lead to disclosure of sensitive information and page metadata.
impact: |
Unauthenticated users can access private page information through the REST API pages endpoint, potentially exposing sensitive metadata and page content.
remediation: |
Upgrade to XWiki version
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2dfhttps://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744vhttps://jira.xwiki.org/browse/XWIKI-22630https://jira.xwiki.org/browse/XWIKI-22639https://jira.xwiki.org/browse/XWIKI-22630https://jira.xwiki.org/browse/XWIKI-22639
2025-03-19
Published
Exploited in the wild