CVE-2025-49580 Overview
CVE-2025-49580 is a privilege escalation vulnerability in XWiki, an open-source generic wiki platform. The flaw affects versions from 8.2 and 7.4.5 through releases prior to 17.1.0-rc-1, 16.10.4, and 16.4.7. Pages containing links can gain script or programming rights when the link target is renamed or moved. This allows execution of scripts embedded in xobjects that should never have been executed. The vulnerability is categorized under [CWE-266] Incorrect Privilege Assignment.
Critical Impact
Attackers with low privileges can trigger script or programming rights elevation through routine page refactoring, leading to arbitrary script execution within the wiki context.
Affected Products
- XWiki Platform versions 8.2 through 16.4.6
- XWiki Platform versions 7.4.5 through 16.10.3
- XWiki Platform versions prior to 17.1.0-rc-1
Discovery Timeline
- 2025-06-13 - CVE-2025-49580 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-49580
Vulnerability Analysis
The vulnerability resides in XWiki's refactoring subsystem, specifically in how links are updated when target pages are renamed or moved. When the refactoring engine processes a page containing links to a renamed entity, it saves modifications under the author context that may inadvertently inherit elevated rights. Pages that previously had no script or programming rights can gain these privileges through the refactoring save operation.
This behavior creates an indirect privilege escalation path. An attacker who can rename or move a referenced page can cause unrelated pages to inherit script execution capabilities. Scripts stored within xobjects on those pages — which should remain dormant due to insufficient rights — become executable after the refactoring operation completes.
Root Cause
The root cause lies in the DefaultReferenceUpdater class within xwiki-platform-refactoring-default. The reference updater saved refactored documents without preserving the original author's reduced privilege context. The patch addresses this by saving refactoring link updates as minor versions with explicit save messages, preventing rights inheritance from the refactoring user context.
Attack Vector
Exploitation requires authenticated access with permission to create or edit pages and trigger rename or move operations. The attacker plants a script payload inside an xobject on a page that lacks script rights. When a privileged user — or the attacker through a chained operation — renames a linked page, the refactoring process re-saves the host page, granting it the elevated rights needed to execute the embedded script.
// Patch: DefaultReferenceUpdater.java - imports added for localized save messages
import org.xwiki.job.Job;
import org.xwiki.job.JobContext;
import org.xwiki.job.event.status.JobProgressManager;
+import org.xwiki.localization.LocalizationManager;
import org.xwiki.model.EntityType;
import org.xwiki.model.reference.AttachmentReference;
import org.xwiki.model.reference.DocumentReference;
Source: GitHub Commit ab209ac
# Patch: ApplicationResources.properties - new save messages for refactoring
refactoring.referenceUpdater.saveMessage.relativeLink=Updated the relative links.
refactoring.referenceUpdater.saveMessage.backlinks=Renamed back-links.
Source: GitHub Commit ab209ac
Detection Methods for CVE-2025-49580
Indicators of Compromise
- Unexpected page versions where the modifier is a refactoring job user but the content includes script macros or Groovy/Velocity payloads
- New or modified xobjects on pages that did not previously hold script or programming rights
- Rename or move operations on pages with extensive back-link references followed by anomalous content execution
Detection Strategies
- Audit XWiki document revision history for content saved by the refactoring subsystem on pages containing {{script}}, {{groovy}}, or {{velocity}} macros
- Compare effective rights on pages before and after rename or move events to identify unauthorized rights escalation
- Review the XWiki access log for sequences of rename operations followed by execution of script-bearing pages
Monitoring Recommendations
- Enable XWiki audit logging for all refactoring jobs and rename or move operations
- Monitor for creation of xobjects containing executable script payloads by users without programming rights
- Track changes to the XWiki.XWikiRights and similar permission objects following refactoring activity
How to Mitigate CVE-2025-49580
Immediate Actions Required
- Upgrade XWiki to version 17.1.0-rc-1, 16.10.4, or 16.4.7 as appropriate for your release branch
- Restrict page rename and move permissions to trusted users until the patch is applied
- Audit existing pages for script-bearing xobjects placed by low-privilege users
Patch Information
The vulnerability is fixed in XWiki versions 17.1.0-rc-1, 16.10.4, and 16.4.7. The fix is implemented in commit ab209ac and tracked in XWIKI-22836. Full details are available in the GHSA-jm43-hrq7-r7w6 advisory.
Workarounds
- Remove or restrict the Rename and Move rights for non-administrative users on sensitive spaces
- Disable automatic back-link updates in refactoring jobs where feasible
- Review and remove any unauthorized xobjects containing script macros prior to applying the patch
# Verify installed XWiki version meets the patched baseline
curl -s https://your-xwiki-host/xwiki/bin/view/Main/?xpage=version | grep -i version
# Example Maven dependency update for patched version
# In your pom.xml, set:
# <xwiki.version>16.10.4</xwiki.version>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
