CVE-2025-32971: 
Java vulnerability analysis and mitigation

CVE-2025-32971 affects XWiki, a generic wiki platform, discovered in April 2025. The vulnerability exists in versions from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1. The issue involves the Solr script service not properly handling dropped programming rights in XWiki's scripting API (GitHub Advisory, NVD).

The vulnerability stems from the Solr script service using incorrect API for checking rights, specifically not recognizing when programming rights have been dropped through the '$xcontext.dropPermissions()' call. The issue has been assigned a CVSS v3.1 base score of 3.8 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L. The vulnerability is classified as CWE-863 (Incorrect Authorization) (GitHub Advisory, NVD).

The vulnerability allows users with script rights to bypass intended security restrictions, potentially enabling them to either cause high load by indexing documents or temporarily remove documents from the search index. While the impact is limited to users with script rights, it could affect system stability and document accessibility (GitHub Advisory).

The vulnerability has been patched in XWiki versions 15.10.13, 16.4.4, and 16.8.0-rc-1. For users unable to upgrade immediately, the only workaround is to carefully manage script right permissions, as there are no other known mitigation strategies (GitHub Advisory).