Vulnerability DatabaseCVE-2025-29925
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-29925
March 19, 2025
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.
Affected Packages
https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-16.5.0 <16.10.0
Fix Suggestion:
Update to version 16.10.0
https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-16.0.0 <16.4.6
Fix Suggestion:
Update to version 16.4.6
https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-3.1 <15.10.14
Fix Suggestion:
Update to version 15.10.14
org.xwiki.platform:xwiki-platform-rest-server (JAVA):
Affected version(s)
Fix Suggestion:
Update to version 15.10.14
org.xwiki.platform:xwiki-platform-rest-server (JAVA):
Affected version(s)
Fix Suggestion:
Update to version 16.10.0-rc-1
org.xwiki.platform:xwiki-platform-rest-server (JAVA):
Affected version(s)
Fix Suggestion:
Update to version 16.4.6
org.xwiki.platform:xwiki-platform-rest-server (NEXUS):
Affected version(s) >=3.1 <15.10.14
Fix Suggestion:
Update to version 15.10.14
org.xwiki.platform:xwiki-platform-rest-server (NEXUS):
Affected version(s) >=16.0.0 <16.4.6
Fix Suggestion:
Update to version 16.4.6
org.xwiki.platform:xwiki-platform-rest-server (NEXUS):
Affected version(s) >=16.5.0 <16.10.0
Fix Suggestion:
Update to version 16.10.0
Related ResourcesĀ (7)
https://nvd.nist.gov/vuln/detail/CVE-2025-29925
https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df
https://jira.xwiki.org/browse/XWIKI-22630
https://jira.xwiki.org/browse/XWIKI-22639
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744v
https://github.com/xwiki/xwiki-platform
https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-402
EPSS
Base Score:
0.39