CVE-2025-65091 Overview
CVE-2025-65091 is a SQL injection vulnerability affecting XWiki Full Calendar Macro, a component that displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit this vulnerability to access database information or initiate a denial-of-service (DoS) attack. The vulnerability requires no authentication, making it particularly dangerous for internet-facing XWiki installations.
Critical Impact
Unauthenticated attackers can exploit this SQL injection flaw to extract sensitive database contents or cause service disruption through DoS attacks. The vulnerability affects all installations running versions prior to 2.4.5.
Affected Products
- XWiki Full Calendar Macro versions prior to 2.4.5
Discovery Timeline
- 2026-01-10 - CVE-2025-65091 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-65091
Vulnerability Analysis
This vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), commonly known as SQL Injection. The flaw exists in the Calendar.JSONService page, which processes user-supplied input without adequate sanitization before incorporating it into SQL queries.
The vulnerability is particularly severe because it is accessible to unauthenticated users, including guest visitors. An attacker can craft malicious requests to the Calendar.JSONService endpoint to inject arbitrary SQL commands into the underlying database queries. This can result in unauthorized access to sensitive data stored in the XWiki database, including user credentials, wiki content, and configuration information.
Additionally, the vulnerability can be weaponized for denial-of-service attacks by crafting SQL queries that consume excessive database resources, causing the application to become unresponsive.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and sanitization in the Calendar.JSONService page handler. User-supplied parameters are directly concatenated into SQL query strings without proper escaping or parameterized query usage, allowing attackers to break out of the intended query context and inject malicious SQL statements.
Attack Vector
The attack vector is network-based and requires no prior authentication. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable Calendar.JSONService endpoint. The attack can be performed remotely by any user who can access the XWiki instance, including anonymous guest users with view permissions to the affected page.
The vulnerability allows attackers to perform various SQL injection techniques including:
- Union-based injection to extract data from other tables
- Error-based injection to enumerate database structure
- Time-based blind injection for stealthier data extraction
- Resource-intensive queries for denial-of-service attacks
Detection Methods for CVE-2025-65091
Indicators of Compromise
- Unusual HTTP requests to the Calendar.JSONService endpoint containing SQL keywords or special characters
- Database logs showing malformed or unexpected SQL queries originating from calendar service components
- Increased database resource utilization or query timeouts associated with calendar-related requests
Detection Strategies
- Monitor web application logs for requests to Calendar.JSONService containing SQL injection payloads such as UNION SELECT, OR 1=1, single quotes, or comment sequences
- Implement web application firewall (WAF) rules to detect and block common SQL injection patterns targeting XWiki endpoints
- Review database query logs for anomalous activity patterns that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging for the XWiki application and database components to capture detailed request information
- Configure alerting for failed or unusual database queries originating from the calendar macro component
- Monitor for denial-of-service indicators such as sudden spikes in database CPU usage or connection pool exhaustion
How to Mitigate CVE-2025-65091
Immediate Actions Required
- Upgrade XWiki Full Calendar Macro to version 2.4.5 or later immediately
- If immediate patching is not possible, restrict access to the Calendar.JSONService page by modifying page permissions
- Implement network-level access controls to limit who can reach the affected endpoint
Patch Information
XWiki has released version 2.4.5 which addresses this SQL injection vulnerability. The fix is available in commit 5fdcf06a05015786492fda69b4d9dea5460cc994. Organizations should upgrade to the patched version as soon as possible.
For detailed security information, refer to the GitHub Security Advisory GHSA-2g22-wg49-fgv5.
Workarounds
- Restrict access permissions to the Calendar.JSONService page to prevent unauthenticated access
- Deploy a web application firewall with SQL injection protection rules in front of the XWiki instance
- Consider temporarily disabling the Full Calendar Macro functionality until the patch can be applied
# Example: Restricting access to Calendar.JSONService via XWiki administration
# Navigate to: XWiki Administration > Content > Page Administration
# Set view permissions for Calendar.JSONService to authenticated users only
# This reduces attack surface by blocking guest access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
