CVE-2025-24893: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a critical remote code execution vulnerability (CVE-2025-24893). The vulnerability allows any unauthenticated guest to perform arbitrary remote code execution through a request to SolrSearch, impacting the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability affects versions from 5.3-milestone-2 up to 15.10.11 and from 16.0.0-rc-1 to 16.4.1 (GitHub Advisory, ZDI Advisory).

The vulnerability exists in the SolrSearchMacros component where the 'text' parameter is not properly validated when processing RSS feed requests. When the 'media' parameter is set to 'rss', the text parameter's value is rendered as part of the RSS feed's title and description without proper sanitization of scripting language special characters. This allows script instructions to be interpreted and executed by the template renderer. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code on the target server with the service account privileges, potentially leading to complete system compromise. This impacts the confidentiality of data, integrity of the system, and availability of the XWiki installation (ZDI Advisory).

The vulnerability has been patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1. Users are strongly advised to upgrade to these versions. For users unable to upgrade immediately, a workaround is available by editing Main.SolrSearchMacros to match the rawResponse macro with a content type of 'application/xml', instead of simply outputting the content of the feed (GitHub Advisory).