CVE-2025-66474: XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
(updated )
Any user who can edit their own user profile or any other document can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The reason is that rendering output is included as content of HTML macros with insufficient escaping, and it is thus possible to close the HTML macro and inject script macros that are executed with programming rights. To demonstrate, the content {{html}}{{/html {{/html}}}} can be inserted into any field of the user profile that supports wiki syntax like the “About” field. If this leads to the display of raw HTML, the instance is vulnerable.
References
- github.com/advisories/GHSA-9xc6-c2rm-f27p
- github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11
- github.com/xwiki/xwiki-rendering
- github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49
- github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p
- jira.xwiki.org/browse/XRENDERING-693
- jira.xwiki.org/browse/XRENDERING-792
- jira.xwiki.org/browse/XRENDERING-793
- jira.xwiki.org/browse/XWIKI-23378
- nvd.nist.gov/vuln/detail/CVE-2025-66474
Code Behaviors & Features
Detect and mitigate CVE-2025-66474 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →