CVE-2025-49584 Overview
CVE-2025-49584 is an information disclosure vulnerability affecting XWiki Platform, a widely-deployed open-source wiki platform. The vulnerability allows unauthenticated attackers to access page titles through the REST API by exploiting insufficient access control checks on XClass property value providers. While the REST endpoint verifies access rights on XClass definitions, it fails to properly validate permissions when retrieving page titles for pages referenced via page properties.
This vulnerability is particularly concerning for organizations that rely on obfuscated page names to protect sensitive information, as attackers can enumerate page titles by making individual REST API requests for any known page reference.
Critical Impact
Attackers can bypass access controls to retrieve page titles of restricted content through the REST API, potentially exposing sensitive information in wiki environments where page titles contain confidential data.
Affected Products
- XWiki Platform versions 10.9 through 16.4.6
- XWiki Platform versions 16.5.0-rc-1 through 16.10.2
- XWiki Platform version 17.0.0-rc-1
Discovery Timeline
- June 13, 2025 - CVE-2025-49584 published to NVD
- September 03, 2025 - Last updated in NVD database
Technical Details for CVE-2025-49584
Vulnerability Analysis
The vulnerability resides in the REST API's handling of XClass property value providers. When an XClass with a page property is accessible (which is the default configuration in XWiki installations), the REST endpoint allows retrieval of page titles without performing adequate authorization checks on the target pages themselves.
The core issue is a missing access control verification step. While the system correctly validates that the requesting user has access to the XClass definition, it does not verify whether the user should have permission to view the titles of the pages referenced by that XClass property. This creates an authorization bypass where page titles can be enumerated one request at a time.
The impact severity depends significantly on the organization's page naming conventions. In default XWiki configurations where page names typically match their titles, the information disclosure risk is relatively limited. However, for deployments where page names are intentionally obfuscated to protect sensitive title information, this vulnerability represents a significant confidentiality breach.
Root Cause
The root cause is an improper access control implementation (CWE-201: Insertion of Sensitive Information Into Sent Data) in the AbstractDocumentListClassPropertyValuesProvider and GroupsClassPropertyValuesProvider classes. These components handle property value suggestions for XClass properties but fail to perform authorization checks before returning page title information. The code path allows the title data to be included in API responses without verifying the requesting user's right to access the associated page content.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with knowledge of page references in the target XWiki installation can craft REST API requests to the property values endpoint. By specifying page references in the request parameters, the attacker receives the corresponding page titles in the response, effectively bypassing any access restrictions on those pages.
The attack flow involves:
- Identifying accessible XClass definitions with page properties
- Constructing REST API requests targeting the property values endpoint
- Supplying known page references as query parameters
- Extracting page titles from the API response
// Security patch adding authorization checks
// Source: https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec
import org.xwiki.rest.model.jaxb.PropertyValue;
import org.xwiki.rest.model.jaxb.PropertyValues;
import org.xwiki.rest.resources.classes.ClassPropertyValuesProvider;
+import org.xwiki.security.authorization.ContextualAuthorizationManager;
+import org.xwiki.security.authorization.Right;
import com.xpn.xwiki.XWiki;
import com.xpn.xwiki.XWikiContext;
The patch introduces the ContextualAuthorizationManager and Right classes to enforce proper access control checks before returning page titles. Additional changes in GroupsClassPropertyValuesProvider similarly add the Right import to support authorization validation:
// Additional authorization import for GroupsClassPropertyValuesProvider
// Source: https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec
import org.xwiki.query.QueryBuilder;
import org.xwiki.rendering.syntax.Syntax;
import org.xwiki.rest.model.jaxb.PropertyValues;
+import org.xwiki.security.authorization.Right;
import org.xwiki.wiki.user.UserScope;
import org.xwiki.wiki.user.WikiUserManager;
Detection Methods for CVE-2025-49584
Indicators of Compromise
- Unusual volume of REST API requests targeting property values endpoints
- API requests containing references to pages the requesting user should not have access to
- Sequential or enumeration-pattern requests to property value providers
- Unauthenticated access attempts to REST API endpoints related to XClass properties
Detection Strategies
- Monitor REST API access logs for requests to /rest/wikis/*/classes/*/properties/*/values endpoints
- Implement rate limiting detection for property value provider endpoints
- Alert on API requests from unauthenticated sessions attempting to access class property values
- Analyze request patterns for systematic page reference enumeration attempts
Monitoring Recommendations
- Enable detailed logging for XWiki REST API endpoints
- Deploy web application firewall rules to detect and block enumeration attempts
- Configure SIEM rules to correlate multiple property value requests from single sources
- Establish baseline metrics for normal REST API usage to identify anomalous patterns
How to Mitigate CVE-2025-49584
Immediate Actions Required
- Upgrade XWiki Platform to version 16.4.7, 16.10.3, or 17.0.0 immediately
- Review REST API access logs for potential exploitation attempts
- Audit page titles for sensitive information exposure
- Consider restricting REST API access to authenticated users only as a temporary measure
Patch Information
XWiki has released security patches that add proper access control checks before returning page titles. The fix is included in:
- XWiki 16.4.7 - Patch for the 16.4.x branch
- XWiki 16.10.3 - Patch for the 16.10.x branch
- XWiki 17.0.0 - Patch for the 17.x branch
The security fix is documented in XWiki Jira Issue XWIKI-22736 and the GitHub Security Advisory GHSA-mvp5-qx9c-c3fv. The patch commit can be reviewed at the GitHub Commit Reference.
Workarounds
- Convert to a fully private wiki configuration where REST endpoint access requires authentication to the XClass definition
- Implement network-level restrictions to limit REST API access to trusted IP ranges
- Deploy a reverse proxy with authentication requirements for REST API endpoints
- Review and sanitize page titles to remove sensitive information where possible
# Configuration example - Restrict REST API access via reverse proxy
# Apache configuration to require authentication for XWiki REST API
<Location "/xwiki/rest/">
AuthType Basic
AuthName "XWiki REST API"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
