CVE-2025-31487: 
Java vulnerability analysis and mitigation

CVE-2025-31487 affects the XWiki JIRA extension, which provides integration points between XWiki and JIRA (macros, UI, CKEditor plugin). The vulnerability was discovered and disclosed on April 3, 2025. The issue affects versions prior to 8.6.5 of the JIRA extension. This vulnerability allows any authenticated XWiki user to perform XML External Entity (XXE) attacks through the JIRA macro functionality (NVD, GitHub Advisory).

The vulnerability is classified as an Improper Restriction of XML External Entity Reference (CWE-611) with a CVSS v3.1 base score of 7.7 (High). The attack vector is network-based, with low attack complexity and requiring low privileges. The vulnerability occurs when processing XML data from JIRA URLs, where the SAXBuilder instance used to retrieve JIRA issue data does not properly restrict XML external entity references (GitHub Advisory).

An authenticated attacker can exploit this vulnerability by editing their user profile wiki page and using the JIRA macro with a specially crafted fake JIRA URL. This URL can return XML containing a DOCTYPE that points to local files on the XWiki server host, allowing the attacker to read and display the contents of these files through JIRA fields such as summary or description (GitHub Advisory).

The vulnerability has been patched in JIRA Extension version 8.6.5. The fix involves disabling DTD processing completely in the XML parser since JIRA returns XML content that doesn't use a DTD. There are no easy workarounds except upgrading to the patched version using the XWiki Extension Manager (GitHub Commit).