Platform
java
Component
org.xwiki.platform:xwiki-platform-rest-server
Fixed in
4.3.1
17.0.1
17.4.2
CVE-2025-52472 describes a high-severity HQL injection vulnerability discovered in the XWiki Platform REST Server. This flaw allows attackers to inject malicious HQL queries through the orderField parameter, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of XWiki Platform REST Server before 17.4.2, and a fix is available in version 17.4.2.
The vulnerability lies within the REST search URL's handling of the orderField parameter. An attacker can craft a malicious orderField value that, when injected into the HQL query, can bypass intended security checks. While the injected value appears twice in the query, careful manipulation, such as enclosing parts of the query within single quotes, can render the original query invalid and allow for arbitrary HQL execution. Successful exploitation could lead to unauthorized access to sensitive data stored within the XWiki platform, including user information, documents, and configuration details. The potential for data exfiltration and modification represents a significant risk to XWiki deployments.
CVE-2025-52472 was publicly disclosed on 2025-10-06. The vulnerability's CVSS score of 9.5 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been publicly released as of this writing, the nature of HQL injection vulnerabilities suggests that a PoC could be developed relatively easily. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting XWiki Platform REST Server.
Exploit Status
EPSS
0.23% (45% percentile)
CISA SSVC
The primary mitigation for CVE-2025-52472 is to immediately upgrade to XWiki Platform REST Server version 17.4.2 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the orderField parameter to prevent the injection of malicious characters. Web application firewalls (WAFs) configured to detect and block HQL injection attempts can provide an additional layer of defense. Monitor XWiki logs for unusual query patterns or error messages that might indicate an attempted exploitation. After upgrading, confirm the fix by attempting a search with a crafted orderField parameter containing single quotes and observe that the query fails to execute as expected.
Update XWiki Platform to version 17.5.0, 17.4.2, or 16.10.9, or a later version. These versions contain the fix for the HQL injection vulnerability. No workarounds are available, so updating is the only solution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-52472 is a CRITICAL HQL injection vulnerability in XWiki Platform REST Server allowing attackers to manipulate search queries and potentially access sensitive data.
If you are running XWiki Platform REST Server versions prior to 17.4.2, you are vulnerable to this HQL injection flaw.
Upgrade to XWiki Platform REST Server version 17.4.2 or later to mitigate the vulnerability. Implement input validation as a temporary workaround.
While no active exploitation has been confirmed, the high CVSS score and ease of potential exploitation suggest a risk of future attacks.
Refer to the official XWiki security advisory for detailed information and mitigation guidance: [https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories](https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.