CVE-2025-52472 Overview
CVE-2025-52472 is a critical HQL (Hibernate Query Language) injection vulnerability affecting XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it. The vulnerability exists in the REST search URL functionality, where the orderField parameter is susceptible to injection attacks. This flaw allows unauthenticated remote attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or complete system compromise.
Critical Impact
Unauthenticated attackers can exploit HQL injection via the REST search API to execute arbitrary database queries, potentially extracting sensitive data or compromising the entire XWiki installation.
Affected Products
- XWiki Platform versions 4.3-milestone-1 through 16.10.8
- XWiki Platform versions 17.0.0 through 17.4.1
- XWiki Platform versions 17.5.0-rc-1 (prior to 17.5.0 release)
Discovery Timeline
- 2025-10-06 - CVE-2025-52472 published to NVD
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2025-52472
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), specifically manifesting as an HQL injection in XWiki Platform's REST search functionality. The flaw exists because user-supplied input through the orderField parameter is incorporated into HQL queries without proper sanitization or parameterization.
The exploitation complexity is nuanced—the attacker-controlled value is inserted twice into the query: once in the field list for the SELECT clause and once in the ORDER BY clause. This dual insertion makes exploitation more challenging but not impossible. An attacker can enclose the portion of the query between the two field references in single quotes to effectively neutralize them, while ensuring the overall query remains syntactically valid with the injected payload appearing twice.
The vulnerability enables network-based attacks without requiring authentication or user interaction, making it particularly dangerous for publicly accessible XWiki installations.
Root Cause
The root cause lies in the improper handling of the orderField parameter in the REST search query execution logic. The HqlQueryUtils.java class and BaseSearchResult.java components failed to validate and sanitize user input before incorporating it into dynamically constructed HQL queries. The lack of input validation allows malicious HQL syntax to be injected and executed against the underlying database.
Attack Vector
The attack vector is network-based, targeting the REST search endpoint. An unauthenticated attacker can craft malicious requests to the REST search URL with a specially constructed orderField parameter value. The payload must be carefully designed to remain valid when inserted at both injection points in the query structure.
The attack flow involves:
- Identifying a vulnerable XWiki instance with an exposed REST API
- Crafting an HQL injection payload that works with dual insertion points
- Sending the malicious request to extract data or manipulate the database
- Using single-quote encapsulation to neutralize the query structure between injection points
The security patch addresses this issue by improving query construction in the REST search functionality. The fix involves proper input validation and sanitization in the HQL query utilities:
*/
package com.xpn.xwiki.internal.store.hibernate.query;
+import java.util.Set;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
Source: GitHub Commit Update
The patch also updates the query execution components to use proper parameterization:
import org.xwiki.query.Query;
import org.xwiki.query.QueryException;
import org.xwiki.query.QueryFilter;
+import org.xwiki.query.QueryManager;
import org.xwiki.rest.Relations;
import org.xwiki.rest.XWikiResource;
import org.xwiki.rest.internal.ModelFactory;
Source: GitHub Commit Update
Detection Methods for CVE-2025-52472
Indicators of Compromise
- Unusual REST API search requests containing SQL/HQL syntax characters such as single quotes, semicolons, or UNION keywords in the orderField parameter
- Database query logs showing malformed or suspicious HQL statements originating from the XWiki REST search endpoint
- Unexpected data access patterns or bulk data extraction from the XWiki database
- Web access logs showing repeated requests to REST search endpoints with varying orderField values indicative of injection attempts
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block HQL/SQL injection patterns in REST API parameters
- Implement logging and monitoring on the XWiki REST search endpoint to capture all requests with their full parameter values
- Configure database query auditing to detect anomalous query patterns or unauthorized data access
- Use intrusion detection systems (IDS) with signatures for common injection attack patterns
Monitoring Recommendations
- Enable verbose logging for XWiki REST API endpoints and forward logs to a centralized SIEM solution
- Monitor database performance metrics for unusual query execution times or resource consumption that may indicate injection exploitation
- Set up alerts for failed authentication attempts or unexpected error rates from the REST API
- Implement application-layer monitoring to track request patterns to the search functionality
How to Mitigate CVE-2025-52472
Immediate Actions Required
- Upgrade XWiki Platform to version 16.10.9, 17.4.2, or 17.5.0 immediately
- If immediate patching is not possible, consider temporarily disabling or restricting access to the REST search API
- Review access logs for any signs of exploitation attempts against the REST search endpoint
- Implement network-level restrictions to limit REST API access to trusted IP addresses
Patch Information
XWiki has released security patches addressing this vulnerability. Users should upgrade to one of the following fixed versions:
- Version 16.10.9 - For users on the 16.x LTS branch
- Version 17.4.2 - For users on the 17.4.x release branch
- Version 17.5.0 - Latest stable release with the fix
Detailed patch information is available in the GitHub Security Advisory and tracked in XWiki Jira Issue XWIKI-23247.
Workarounds
- No official workarounds are available from the vendor for this vulnerability
- As a temporary measure, restrict access to the REST API at the network level using firewall rules or reverse proxy configurations
- Consider implementing a WAF with custom rules to block requests containing suspicious characters in the orderField parameter
- Monitor and audit all REST API access while awaiting patch deployment
# Example: Restrict REST API access via Apache reverse proxy
<Location "/xwiki/rest/">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
