CVE-2025-49586 Overview
CVE-2025-49586 is an authorization vulnerability in XWiki, an open-source wiki software platform. Any authenticated XWiki user holding edit rights on at least one App Within Minutes application can elevate to programming rights by editing the application. Because edit rights on App Within Minutes applications are granted to all users by default, the barrier to exploitation is low. Successful exploitation yields remote code execution on the XWiki server. The issue is tracked under CWE-863: Incorrect Authorization and was fixed in XWiki 17.0.0, 16.10.3, and 16.4.7.
Critical Impact
Authenticated users with default edit permissions can obtain programming rights and execute arbitrary code on the XWiki server, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- XWiki Platform versions prior to 16.4.7
- XWiki Platform 16.5.0 through 16.10.2
- XWiki Platform 17.0.0 release candidates prior to 17.0.0 GA
Discovery Timeline
- 2025-06-13 - CVE-2025-49586 published to NVD
- 2025-09-03 - Last updated in NVD database
Technical Details for CVE-2025-49586
Vulnerability Analysis
XWiki uses an author-based privilege model. Scripts and templates execute with the rights of the document author, and programming right is required to perform privileged operations such as accessing internal APIs or invoking Groovy scripts. The App Within Minutes module lets users build structured applications through a web UI. Custom property displayers tied to these applications were executed using the rights of the editing user rather than the rights of the owner document author. An attacker editing a custom displayer could therefore inject script content that escalated to programming right when rendered, resulting in server-side code execution.
Root Cause
The root cause lies in PropertyClass.java within xwiki-platform-oldcore. Custom displayers were rendered without delegating execution to the owner document's author through AuthorExecutor. This authorization mismatch allowed a low-privileged editor to leverage a higher-privileged author context. The fix changes the custom displayer rendering path to use the author of the owner document.
Attack Vector
An authenticated user navigates to any App Within Minutes application on which they hold edit rights. The attacker modifies a custom property displayer to include script content that requires programming right, such as Groovy macros or privileged Velocity bindings. When the application is rendered, the injected script executes under the author context of the owner document, granting the attacker arbitrary code execution on the underlying server.
// Security patch excerpt - PropertyClass.java
import org.xwiki.model.reference.EntityReference;
import org.xwiki.script.ScriptContextManager;
import org.xwiki.security.authorization.AuthorExecutor;
+import org.xwiki.stability.Unstable;
import org.xwiki.template.Template;
import org.xwiki.template.TemplateManager;
// Source: https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42
The patch introduces the use of AuthorExecutor so custom displayers are executed with the rights of the owner document's author instead of the editing user. See the GitHub Security Advisory GHSA-jp4x-w9cj-97q7 for the full technical writeup.
Detection Methods for CVE-2025-49586
Indicators of Compromise
- Unexpected edits to App Within Minutes application documents or custom property displayer templates by non-administrator accounts.
- New or modified XWiki documents containing Groovy macros, {{groovy}}, or privileged Velocity calls authored by low-privileged users.
- XWiki server processes spawning shell interpreters such as sh, bash, or cmd.exe, or making outbound network connections to unknown hosts.
- Creation of new admin-level XWiki users or modification of XWiki.XWikiPreferences shortly after an edit to an App Within Minutes application.
Detection Strategies
- Review XWiki audit logs and document revision history for changes to App Within Minutes applications and their property classes.
- Hunt for script content requiring programming right embedded in user-editable application documents.
- Correlate Java process telemetry from the XWiki host with web access logs to identify suspicious child processes following a /bin/edit/ or /bin/save/ request.
Monitoring Recommendations
- Forward XWiki application logs and access logs to a centralized log platform and alert on edits to documents under the AppWithinMinutes space.
- Monitor outbound connections from the application server JVM for non-baseline destinations.
- Track creation or modification of users in the XWiki space and changes to global rights documents.
How to Mitigate CVE-2025-49586
Immediate Actions Required
- Upgrade XWiki to version 17.0.0, 16.10.3, or 16.4.7 as appropriate for your release branch.
- Audit edit rights on App Within Minutes applications and revoke broad default grants where they are not required.
- Review recent revisions of App Within Minutes application documents and roll back any unauthorized changes.
- Rotate XWiki administrator credentials and any secrets stored in the wiki if compromise is suspected.
Patch Information
The vulnerability is fixed by commit ef978315, which changes custom displayers to execute under the author of the owner document via AuthorExecutor. Fixed releases are XWiki 17.0.0, 16.10.3, and 16.4.7. Tracking details are available in XWiki Issue XWIKI-22719.
Workarounds
- Restrict edit rights on App Within Minutes applications to trusted administrators by editing XWiki.XWikiPreferences and the rights of each application document.
- Disable or remove the App Within Minutes module on instances that do not require it.
- Place the XWiki instance behind authentication-aware reverse proxy rules that limit access to /bin/edit/AppWithinMinutes/ paths to administrative users until patching is complete.
# Verify the installed XWiki version against fixed releases
curl -s -u admin:password https://xwiki.example.com/bin/view/Main/ \
| grep -i 'xwiki-version'
# Example: review recent edits in the AppWithinMinutes space
curl -s -u admin:password \
"https://xwiki.example.com/rest/wikis/xwiki/spaces/AppWithinMinutes/pages?number=50"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
