HQL Injection Vulnerability in XWiki Platform Affecting Multiple Versions
CVE-2025-52472

9.3CRITICAL

Key Information:

Vendor

Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
6 October 2025

What is CVE-2025-52472?

The XWiki Platform contains a vulnerability that allows HQL injection through the 'orderField' parameter in the REST search URL. Specifically, when a user specifies a value for 'orderField', this value is incorporated twice into the query—once in the SELECT field list and again in the ORDER clause. This architectural flaw complicates exploitation, though it is possible when a malicious user takes advantage of the double incorporation within the query. The vulnerability, present in versions starting from 4.3-milestone-1 and up to various builds of 17.x series, has been addressed in subsequent updates. Users are urged to upgrade to versions 16.10.9, 17.4.2, or 17.5.0 to mitigate the risk.

Affected Version(s)

xwiki-platform >= 4.3-milestone-1, < 16.10.9 < 4.3-milestone-1, 16.10.9

xwiki-platform >= 17.0.0-rc-1, < 17.4.2 < 17.0.0-rc-1, 17.4.2

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/743ebf8696...
x_refsource_MISC
https://github.com/xwiki/xwiki-platform/commit/a45eca2af7...
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-52472 : HQL Injection Vulnerability in XWiki Platform Affecting Multiple Versions