Platform
java
Component
org.xwiki.platform:xwiki-platform-rest-server
Fixed in
1.8.1
16.0.1
16.5.1
15.10.16
CVE-2025-32969 represents a critical SQL Injection vulnerability discovered in the XWiki Platform REST Server. This flaw allows unauthenticated, remote attackers to bypass security measures and directly manipulate the database backend. The vulnerability impacts versions of XWiki Platform REST Server before 15.10.16 and can be resolved by upgrading to the patched version.
The impact of CVE-2025-32969 is severe. An attacker can leverage this SQL Injection vulnerability to execute arbitrary SQL statements against the database without authentication. This includes scenarios where the "Prevent unregistered users from viewing pages" and "Prevent unregistered users from editing pages" options are enabled, effectively bypassing intended access controls. Successful exploitation could lead to the exfiltration of sensitive data, such as password hashes, and even allow for unauthorized modification or deletion of data within the database. The potential for data breaches and system compromise is significant, particularly in environments where XWiki Platform is used to manage critical information.
CVE-2025-32969 was publicly disclosed on April 23, 2025. The vulnerability's ease of exploitation, combined with the potential for significant data compromise, suggests a medium to high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that such code will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
26.88% (96% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-32969 is to upgrade XWiki Platform REST Server to version 15.10.16 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While direct SQL Injection prevention is difficult without patching, strict input validation and parameterized queries (if possible within the XWiki environment) can reduce the attack surface. Review and restrict database user permissions to limit the potential damage from a successful injection. After upgrading, verify the fix by attempting to access restricted database resources through the REST API while unauthenticated; successful access indicates the vulnerability persists.
Update XWiki to version 16.10.1, 16.4.6, or 15.10.16, or a later version. This corrects the SQL injection vulnerability in the REST API query endpoint. No workaround is available other than updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32969 is a critical SQL Injection vulnerability in XWiki Platform REST Server allowing unauthenticated attackers to execute arbitrary SQL queries, potentially compromising the database.
You are affected if you are using XWiki Platform REST Server versions prior to 15.10.16. Upgrade immediately to mitigate the risk.
Upgrade XWiki Platform REST Server to version 15.10.16 or later. If immediate upgrade is not possible, implement temporary workarounds like input validation and restricted database permissions.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation. Monitor security advisories and threat intelligence.
Refer to the official XWiki security advisory for detailed information and mitigation steps: [https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories](https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.