CVE-2025-32429: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a critical SQL injection vulnerability (CVE-2025-32429). The vulnerability affects versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2. The issue was discovered by Aleksey Solovev from Positive Technologies and was publicly disclosed on July 24, 2025 (GitHub Advisory).

The vulnerability allows SQL injection through the 'sort' parameter of the getdeleteddocuments.vm template. The parameter is directly injected as an ORDER BY value without proper sanitization. The vulnerability has received a Critical CVSS v4.0 base score of 9.3, with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The issue is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (GitHub Advisory).

The vulnerability allows remote attackers to execute arbitrary SQL commands through the affected parameter. With a Critical severity rating, the vulnerability can potentially lead to high impacts on system confidentiality, integrity, and availability. The attack requires no special privileges or user interaction, making it particularly dangerous (GitHub Advisory).

The vulnerability has been patched in versions 16.10.6 and 17.3.0-rc-1. There are no known workarounds other than upgrading to the fixed versions. Users are strongly advised to update their XWiki Platform installations to these patched versions (ASEC, GitHub Advisory).