XWiki Platform <15.10.14,16.4.6,16.10.0RC1: REST /rest/wikis/... Leakage
CVE-2025-29925 Published on March 19, 2025

XWiki allows unregistered users to access private pages information through REST endpoint
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.

Github Repository NVD

Weakness Type

What is a Resource Leak Vulnerability?

The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software.

CVE-2025-29925 has been classified to as a Resource Leak vulnerability or weakness.


Products Associated with CVE-2025-29925

Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.

Xwiki
 

Affected Versions

xwiki-platform:

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-29925

Package Manager Vulnerable Package Versions Fixed In
maven org.xwiki.platform:xwiki-platform-rest-server >= 1.9M1, < 15.10.14 15.10.14
maven org.xwiki.platform:xwiki-platform-rest-server >= 16.0.0-rc-1, < 16.4.6 16.4.6
maven org.xwiki.platform:xwiki-platform-rest-server >= 16.5.0-rc-1, < 16.10.0-rc-1 16.10.0-rc-1

Exploit Probability

EPSS
1.15%
Percentile
78.74%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.