CVE-2025-46554: XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
First published: Wed Apr 30 2025(Updated: )
### Impact Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki. To reproduce: * remove view from guest on the whole wiki * logout * access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/attachments You get a list of attachments, while the expected result should be an empty list. ### Patches This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3. ### Workarounds We're not aware of any workaround except upgrading. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution Issue reported by Lukas Monert.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=16.5.0-rc-1<16.7.0 | 16.7.0 |
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=16.0.0-rc-1<16.4.3 | 16.4.3 |
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=15.0-rc-1<15.10.12 | 15.10.12 |
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=1.8.1<14.10.22 | 14.10.22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xp
- https://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae608
- https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342
- https://github.com/xwiki/xwiki-platform/commit/c02ce7843a39851865b9d7b6132e32fdd21e3856
- https://jira.xwiki.org/browse/XWIKI-22424
- https://nvd.nist.gov/vuln/detail/CVE-2025-46554
- https://github.com/advisories/GHSA-r5cr-xm48-97xp (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-46554?
CVE-2025-46554 has been classified as a high-severity vulnerability due to unauthorized access to sensitive metadata.
How do I fix CVE-2025-46554?
To fix CVE-2025-46554, upgrade to the patched versions of the 'org.xwiki.platform:xwiki-platform-rest-server' package as specified in the advisory.
Which versions of software are vulnerable to CVE-2025-46554?
Vulnerable versions of the software include 'org.xwiki.platform:xwiki-platform-rest-server' from 15.0-rc-1 to 16.7.0 and between 1.8.1 to 14.10.22.
Who can exploit CVE-2025-46554?
CVE-2025-46554 can be exploited by any user, even unauthenticated users, who can access the REST endpoint.
What should I do if I cannot upgrade to a fixed version for CVE-2025-46554?
If you cannot upgrade, consider implementing additional access controls to limit access to the wiki attachment REST endpoint.
- agent/weakness
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/description
- agent/type
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- collector/nvd-cve
- agent/references
- agent/last-modified-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r5cr-xm48-97xp
- alias/CVE-2025-46554
- agent/software-canonical-lookup
- agent/event
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- package-manager/maven