CVE-2025-55728
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | pro_macros | From 1.0 (inc) to 1.26.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55728 is a critical remote code execution vulnerability in the XWiki Pro Macros package. It occurs because the 'classes' parameter in the panel macro is not properly escaped or sanitized before being used in XWiki syntax. This allows an attacker who can edit any page to inject malicious XWiki syntax, including Groovy code, which can then be executed remotely. The vulnerability arises from improper handling of user input leading to syntax injection and remote code execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution by an attacker with page editing rights, or even by users with only viewing rights in some cases. The attacker can execute arbitrary code on the server, leading to full data access (confidentiality impact), data modification (integrity impact), and complete service disruption (availability impact). This means the attacker can take full control over the affected system remotely without needing special privileges or user interaction. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the 'classes' parameter in the XWiki panel macro is improperly escaped, allowing XWiki syntax injection. A practical detection method is to attempt injecting Groovy code into the classes parameter, for example using the payload: `%)((({{async}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}}`. If this code executes, the system is vulnerable. Detection can be done by editing a page with the vulnerable macro and injecting this payload, then observing if the Groovy code runs. There are no specific network commands provided, but testing the macro input sanitization via the web interface is the suggested approach. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the XWiki Pro Macros package to version 1.26.5 or later, which contains the patch that properly escapes the 'classes' parameter in the panel macro. This patch uses the XWiki rendering service's escape method to sanitize the input and prevent code injection. Until the upgrade can be applied, restrict editing permissions to trusted users only, as any user with editing rights can exploit this vulnerability. [1, 2]