CVE-2025-24893:
CVE-2025-24893 describes a remote code execution vulnerability in XWiki Platform triggered via the SolrSearch macros, allowing an unauthenticated guest to perform arbitrary code execution through a crafted SolrSearch request (eval injection).
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Feb 20, 2025
- CISA KEV Date:Oct 30, 2025
- Industries Affected:20
191 DaysThreat Predictions
- EPSS Score:93.9
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2025-24893 describes a remote code execution vulnerability in XWiki Platform triggered via the SolrSearch macros, allowing an unauthenticated guest to perform arbitrary code execution through a crafted SolrSearch request (eval injection).
Overview
This vulnerability in the SolrSearch macro of XWiki Platform allows any guest to trigger arbitrary remote code execution via a specially crafted SolrSearch request, effectively compromising the entire installation. It is classified as CWE-95 (eval injection) with a CVSS v3.1 score of 9.8 (CRITICAL), reflecting network access, no required privileges, no user interaction, and high impacts to confidentiality, integrity, and availability. The issue affects multiple versions and has been addressed in specific patched releases; upgrading is strongly recommended. A documented workaround exists for environments that cannot upgrade, involving changes to the SolrSearchMacros.xml and related templates to mitigate the issue temporarily.
Remediation
- Upgrade to patched releases: move to XWiki Platform 15.10.11, 16.4.1, or 16.5.0RC1, as applicable to your deployment.
- If upgrading is not feasible, apply the documented workaround: edit Main.SolrSearchMacros in SolrSearchMacros.xml on line 955 to align the rawResponse macro with the same behavior as in macros.vm (L2824) by ensuring the response is served with a content type of application/xml rather than streaming raw content.
- After applying the workaround, thoroughly test the SolrSearch functionality and verify that the exploitation attempt no longer yields the prior output or code execution.
- Monitor the XWiki advisories and upgrade guidance from the vendor, and plan a timely upgrade to a patched release when possible.
- If you are unable to perform immediate changes, consider restricting access to the SolrSearch functionality or isolating the affected components until a patch can be applied (in accordance with internal risk management policies).
References
- - GHSA advisory: GHSA-rr6p-3pfg-562j (https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j)
- - Patch commit: 67021db9b8ed26c2236a653269302a86bf01ef40 (https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40)
- - SolrSearchMacros.xml patch location: SolrSearchMacros.xml#L955 (https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955)
- - macros.vm patch location: macros.vm#L2824 (https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824)
- - Jira issue: XWIKI-22149 (https://jira.xwiki.org/browse/XWIKI-22149)
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Apr 22, 2025
- CISA KEV Date:Oct 30, 2025
- Days Early:191 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
