XWiki Platform RCE via SolrSearch (pre15.10.11/16.4.1/16.5.0RC1)
CVE-2025-24893 Published on February 20, 2025
Remote code execution as guest via SolrSearchMacros request in xwiki
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Known Exploited Vulnerability
This XWiki Platform Eval Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.
The following remediation steps are recommended / required by November 20, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2025-24893 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an Eval Injection Vulnerability?
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.
CVE-2025-24893 has been classified to as an Eval Injection vulnerability or weakness.
Products Associated with CVE-2025-24893
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 5.3-milestone-2, < 15.10.11 is affected.
- Version >= 16.0.0-rc-1, < 16.4.1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-24893
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.platform:xwiki-platform-search-solr-ui | >= 5.3-milestone-2, < 15.10.11 | 15.10.11 |
| maven | org.xwiki.platform:xwiki-platform-search-solr-ui | >= 16.0.0-rc-1, < 16.4.1 | 16.4.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.