CVE-2025-66474 Overview
CVE-2025-66474 is a code injection vulnerability in XWiki Rendering, the generic rendering system that converts textual input from one syntax (wiki, HTML) to another (XHTML). The flaw is caused by insufficient protection against {{/html}} injection in wiki content. Any authenticated user who can edit their own profile or any document can break out of the HTML macro context and execute arbitrary script macros, including Groovy and Python. Successful exploitation yields remote code execution on the wiki server and unrestricted read and write access to all wiki contents. The issue affects versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0. Fixes are available in versions 16.10.10, 17.4.3, and 17.6.0-rc-1.
Critical Impact
A low-privileged authenticated user can achieve remote code execution and full read/write access to wiki contents through {{/html}} macro injection.
Affected Products
- XWiki Rendering versions 16.10.9 and below
- XWiki Rendering 17.0.0-rc-1 through 17.4.2
- XWiki Rendering 17.5.0-rc-1 through 17.5.0
Discovery Timeline
- 2025-12-10 - CVE-2025-66474 published to NVD
- 2025-12-19 - Last updated in NVD database
Technical Details for CVE-2025-66474
Vulnerability Analysis
XWiki Rendering parses wiki syntax containing macro blocks delimited by {{macroName}}...{{/macroName}}. The HTML macro lets authors embed raw HTML within wiki pages. The rendering layer fails to sanitize content that contains the closing macro sequence {{/html}} inside attacker-controlled input. An attacker can supply input containing {{/html}} followed by another macro call, such as {{groovy}} or {{python}}. The injected sequence terminates the HTML macro early and starts a script macro under the attacker's control. Because script macros execute server-side with the privileges available to the page, the attacker reaches remote code execution from a position that should have been confined to HTML rendering. The vulnerability maps to CWE-94 (Improper Control of Generation of Code) and CWE-95 (Eval Injection).
Root Cause
The rendering pipeline does not escape or neutralize occurrences of the macro terminator inside HTML macro content. A user who can edit any document — including their own user profile, which most authenticated users can edit — can place crafted text that breaks out of the macro context.
Attack Vector
The attacker needs only a normal authenticated account on the XWiki instance. They edit their profile or any document they can modify and inject a payload such as {{/html}}{{groovy}}<malicious code>{{/groovy}}. When the page is rendered, the Groovy or Python macro runs with script execution privileges, allowing OS command execution, file access, and arbitrary modification of wiki content.
No verified public exploit code is available. Technical details are documented in the GitHub Security Advisory GHSA-9xc6-c2rm-f27p and the related Jira issues XRENDERING-693, XRENDERING-792, XRENDERING-793, and XWIKI-23378.
Detection Methods for CVE-2025-66474
Indicators of Compromise
- Document or user profile revisions containing the literal sequence {{/html}} followed by {{groovy}}, {{python}}, or other script macro identifiers.
- Unexpected child processes spawned by the XWiki JVM, such as sh, bash, cmd.exe, or powershell.exe.
- New or modified wiki pages authored by accounts that previously had no editing activity in administrative spaces.
- Outbound network connections initiated by the XWiki application process to unfamiliar hosts shortly after page edits.
Detection Strategies
- Search the XWiki document store and revision history for payload patterns combining macro closing tags and script macros.
- Monitor application logs for script macro execution events triggered from user profile pages or low-privilege spaces.
- Correlate document edit events with JVM child-process creation and file system writes outside the XWiki data directory.
Monitoring Recommendations
- Enable verbose audit logging for document edits and macro execution in XWiki configuration.
- Forward XWiki application and access logs to a centralized SIEM or data lake for retention and correlation.
- Alert on creation of new admin-equivalent accounts or permission changes following document edit activity.
How to Mitigate CVE-2025-66474
Immediate Actions Required
- Upgrade XWiki Rendering to version 16.10.10, 17.4.3, or 17.6.0-rc-1 or later as appropriate for your branch.
- Audit recent edits to user profiles and documents for embedded {{/html}} and script macro sequences.
- Restrict edit rights on the wiki to trusted users until the patch is applied.
- Rotate credentials and review wiki content integrity if exploitation is suspected.
Patch Information
Fixes are committed in the upstream repositories. See XWiki Rendering commit 9b71a2ee and XWiki Platform commit 12b780cc. Upgrade to XWiki Rendering 16.10.10, 17.4.3, or 17.6.0-rc-1.
Workarounds
- Temporarily remove script execution rights (Script, Programming) from non-administrative users to limit macro privileges.
- Disable the HTML macro on instances where it is not required by editors.
- Place the XWiki instance behind a web application firewall rule that blocks request bodies containing {{/html}} adjacent to known script macro tags until the upgrade is completed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
