CVE-2025-66474: HIGH Severity Vulnerability | Secably CVE Database

Summary

CVE-2025-66474 is a high-severity vulnerability affecting XWiki Rendering versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0. This vulnerability allows remote code execution (RCE) due to insufficient protection against {{/html}} injection, potentially enabling attackers to compromise the system.

Technical Details

The vulnerability stems from insufficient input sanitization within the XWiki Rendering component when handling {{/html}} tags. An attacker can inject malicious code within these tags, which, when processed by the rendering engine, can lead to the execution of arbitrary script macros. Specifically, the vulnerability allows the execution of Groovy and Python macros, granting the attacker the ability to execute arbitrary code on the server. This includes unrestricted read and write access to all wiki contents, effectively compromising the entire XWiki instance. The root cause is the failure to properly escape or sanitize user-supplied input before it is processed by the rendering engine, allowing the attacker to bypass security checks and inject malicious code.

The attack vector involves exploiting the ability of users to edit their profiles or other documents within the XWiki instance. By injecting malicious code into these editable areas, an attacker can trigger the vulnerability when the document is rendered. This can be achieved through various means, such as crafting a malicious profile or injecting code into a wiki page that is frequently viewed by other users. The injected code is then executed when the affected XWiki instance renders the content, leading to remote code execution.

Affected Products and Versions

The following XWiki Rendering versions are affected by CVE-2025-66474:

XWiki Rendering versions 16.10.9 and below
XWiki Rendering versions 17.0.0-rc-1 through 17.4.2
XWiki Rendering versions 17.5.0-rc-1 through 17.5.0

Impact Assessment

Successful exploitation of CVE-2025-66474 can have severe consequences, including:

Remote Code Execution (RCE): Attackers can execute arbitrary code on the XWiki server, potentially gaining complete control of the system.
Data Breach: Attackers can access and exfiltrate sensitive data stored within the XWiki instance.
System Compromise: The entire XWiki instance can be compromised, leading to disruption of services and potential data loss.
Privilege Escalation: Attackers can escalate their privileges to gain administrative access to the system.

Remediation

To mitigate the risk posed by CVE-2025-66474, it is strongly recommended to upgrade to a patched version of XWiki Rendering.

Immediate Actions

Upgrade XWiki Rendering: Upgrade to versions 16.10.10, 17.4.3, or 17.6.0-rc-1 or later.
Review User Permissions: Restrict user permissions to minimize the attack surface. Limit the ability of users to edit profiles or other documents unless absolutely necessary.
Monitor System Logs: Monitor system logs for suspicious activity, such as attempts to inject malicious code or execute unauthorized scripts.

Long-term Solutions

Input Sanitization: Implement robust input sanitization techniques to prevent code injection vulnerabilities.
Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities.
Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) to detect and block malicious requests.

References

Detection & Scanning

This vulnerability can be detected by analyzing XWiki Rendering logs for suspicious activity related to {{/html}} tag processing. Look for attempts to execute unauthorized scripts or access sensitive data. Security scanners and vulnerability assessment tools can also be used to identify vulnerable XWiki instances.

Scan Your Website

Secably AI Scanner can detect this and 50+ other vulnerabilities automatically.

Start Free Scan