CVE-2025-24893

CVE-2025-24893 is a critical remote code execution vulnerability in the XWiki Platform, a generic wiki platform providing runtime services for applications. The flaw resides in the SolrSearch component, where insufficient validation of user-supplied input in RSS media requests allows arbitrary code execution via server-side template injection. Specifically, unauthenticated attackers can exploit the `SolrSearch` endpoint by crafting a request such as `/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D`, resulting in Groovy code execution if the RSS feed title reflects the output "Hello from search text:42". This issue is associated with CWE-94 and CWE-95, carrying a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated guest user can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Successful exploitation grants full control over the affected XWiki instance, compromising confidentiality, integrity, and availability through arbitrary code execution on the server.

XWiki has addressed the vulnerability in versions 15.10.11, 16.4.1, and 16.5.0RC1, with users advised to upgrade immediately. For those unable to upgrade, a workaround involves editing `Main.SolrSearchMacros` in `SolrSearchMacros.xml` at line 955 to align with the `rawResponse` macro in `macros.vm` at line 2824, enforcing a content type of `application/xml` instead of directly outputting feed content. Detailed patch information is available in the XWiki security advisory (GHSA-rr6p-3pfg-562j) and related GitHub commit.