CVE-2025-24893
Remote code execution as guest via SolrSearchMacros request in xwiki
In short
Any visitor to an XWiki site can execute arbitrary code on the server without logging in, by sending a specially crafted request to the search feature. This completely compromises the confidentiality, integrity, and availability of the entire XWiki installation.
Technical detail
The SolrSearch macro fails to properly sanitize user-supplied input in the `text` parameter before evaluating it as code, allowing unauthenticated attackers to inject and execute arbitrary Groovy code on the server. The vulnerability exists in the response handling mechanism that outputs the feed content without proper escaping or content-type restrictions.
Summary generated and translated by AI from the official description.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
xwiki · xwiki-platformpublic PoCs found — 41
githubgithub.com/gunzf0x/CVE-2025-24893★ 22githubgithub.com/dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POC★ 17githubgithub.com/b0ySie7e/CVE-2025-24893★ 11githubgithub.com/iSee857/CVE-2025-24893-PoC★ 10githubgithub.com/Infinit3i/CVE-2025-24893★ 6githubgithub.com/Hex00-0x4/CVE-2025-24893-XWiki-RCE★ 6githubgithub.com/AliElKhatteb/CVE-2024-32019-POC★ 5githubgithub.com/hackersonsteroids/cve-2025-24893★ 5githubgithub.com/D3Ext/CVE-2025-24893★ 4githubgithub.com/570RMBR3AK3R/xwiki-cve-2025-24893-poc★ 3githubgithub.com/torjan0/xwiki_solrsearch-rce-exploit★ 2githubgithub.com/BreakingRohit/CVE-2025-24893-PoC★ 2githubgithub.com/Artemir7/CVE-2025-24893-EXP★ 2githubgithub.com/Th3Gl0w/CVE-2025-24893-POC★ 1githubgithub.com/IIIeJlyXaKapToIIIKu/CVE-2025-24893-XWiki-unauthenticated-RCE-via-SolrSearch★ 1githubgithub.com/x0da6h/POC-for-CVE-2025-24893★ 1githubgithub.com/80Ottanta80/CVE-2025-24893-PoC★ 1githubgithub.com/vasilysaint/CVE-2025-24893★ 1githubgithub.com/alaxar/CVE-2025-24893★ 0githubgithub.com/zs1n/CVE-2025-24893★ 0githubgithub.com/Retro023/CVE-2025-24893-POC★ 0githubgithub.com/CMassa/CVE-2025-24893★ 0githubgithub.com/Fomovet/cve-2025-24893★ 0githubgithub.com/ibadovulfat/CVE-2025-24893★ 0githubgithub.com/gmh5225/CVE-2025-24893-RCE-PoC★ 0githubgithub.com/AzureADTrent/CVE-2025-24893-Reverse-Shell★ 0githubgithub.com/andwati/CVE-2025-24893★ 0githubgithub.com/Bishben/xwiki-15.10.8-reverse-shell-cve-2025-24893★ 0githubgithub.com/kimtangker/CVE-2025-24893★ 0githubgithub.com/investigato/cve-2025-24893-poc★ 0githubgithub.com/The-Red-Serpent/CVE-2025-24893★ 0githubgithub.com/0xDTC/XWiki-Platform-RCE-CVE-2025-24893★ 0githubgithub.com/o0wo0o/CVE-2025-24893_Shell★ 0githubgithub.com/dhiaZnaidi/CVE-2025-24893-PoC★ 0githubgithub.com/TomKingori/xwiki-cve-2025-24893-exploit★ 0githubgithub.com/nohack1212/CVE-2025-24893-★ 0githubgithub.com/rippsec/CVE-2025-24893-XWiki-SSTI-RCE★ 0githubgithub.com/hasecto/CVE-2025-24893★ 0githubgithub.com/mah4nzfr/CVE-2025-24893★ 0exploitdbwww.exploit-db.com/exploits/52429unverifiedexploitdbwww.exploit-db.com/exploits/52136unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562jhttps://jira.xwiki.org/browse/XWIKI-22149https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24893