CVE-2025-52472
BaseFortify
Publication date: 2025-10-06
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki_platform_rest_server | * |
| xwiki | xwiki_platform | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52472 is a critical HQL injection vulnerability in the XWiki platform's REST search API, specifically via the `orderField` parameter. The parameter's value is inserted twice into the HQL queryβonce in the select field list and once in the order clauseβallowing an attacker to inject malicious HQL code. Although the dual insertion complicates exploitation, attackers can craft payloads that manipulate the query structure to execute arbitrary HQL commands. This can lead to unauthorized data access, modification, or denial of service. The vulnerability affects versions from 4.3-milestone-1 up to versions before 16.10.9, 17.4.2, and 17.5.0, where it has been patched. [3]
How can this vulnerability impact me? :
This vulnerability can have a high impact on confidentiality, integrity, and availability. An attacker can exploit it remotely without authentication or user interaction to execute arbitrary HQL commands. This may result in unauthorized disclosure of sensitive data, unauthorized modification of data, or denial of service attacks by manipulating query execution (e.g., causing delays). Therefore, it poses serious risks to the security and stability of the affected XWiki platform. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring and analyzing REST API requests to the XWiki platform, specifically looking for suspicious or malformed `orderField` parameters in search URLs that could indicate HQL injection attempts. Since the injection occurs via the `orderField` parameter in REST search endpoints, you can inspect HTTP logs or use network monitoring tools to filter requests containing unusual or non-alphanumeric characters in this parameter. There are no specific commands provided in the resources, but general approaches include using web application firewalls (WAF) with custom rules to detect injection patterns or employing log analysis tools to search for requests with suspicious `orderField` values. Additionally, attempts causing query syntax errors or delays (e.g., time-based injections like `pg_sleep`) in logs may indicate exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade the XWiki platform to one of the patched versions: 16.10.9, 17.4.2, or 17.5.0, where the vulnerability has been fixed. There are no known effective workarounds other than upgrading. The patches include validation and sanitization of the `orderField` parameter, use of a secure query manager to prevent injection, and improved query construction to mitigate the risk. Until upgrading, restrict access to the REST search API if possible and monitor for suspicious activity. [3]