Skip to content

Instantly share code, notes, and snippets.

View yyy1mu's full-sized avatar

yyy1mu yyy1mu

5 followers · 16 following
View GitHub Profile
@N3mes1s
N3mes1s / CVE-2025-24893.md
Created November 2, 2025 13:40
CVE-2025-24893 - XWiki SolrSearch Guest Remote Code Execution (GHSA-rr6p-3pfg-562j / XWIKI-22149)

Security Report: XWiki SolrSearch Guest Remote Code Execution (GHSA-rr6p-3pfg-562j / XWIKI-22149)

Executive Summary

  • CVE: CVE-2025-24893
  • Issue: XWiki exposes the /xwiki/bin/get/Main/SolrSearch endpoint that renders user-controlled wiki macros inside the RSS response when media=rss is supplied. This allows unauthenticated remote attackers to execute arbitrary Groovy code on affected installations.
  • Affected build confirmed: xwiki-platform-distribution-flavor-jetty-hsqldb-16.4.0 (Jetty + HSQLDB bundle).
  • Exploit outcome: The proof-of-concept payload executes server-side Groovy and writes a marker file to /tmp/xwiki_rce_marker, demonstrating arbitrary code execution and file system modification.
  • Severity: Critical (CVSS 3.1: 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
  • CWE: CWE-95 – Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection').