CVE-2025-32972: 
Java vulnerability analysis and mitigation

CVE-2025-32972 affects XWiki, a generic wiki platform. The vulnerability was discovered and disclosed on April 30, 2025, impacting versions from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1. The issue involves incorrect rights checking in the script API of the LESS compiler when calling the cache cleaning API (NVD).

The vulnerability is classified as an Improper Authorization (CWE-285) issue. It has received varying CVSS v3.1 severity ratings: NIST assigned a Medium severity score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), while GitHub assessed it as Low severity with a score of 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). The vulnerability specifically relates to the LESS compiler's script API incorrectly checking rights when calling the cache cleaning API (GitHub Advisory).

The primary impact of this vulnerability is a potential slowdown in XWiki execution as the caches are re-filled. Since the vulnerability requires script rights to exploit, and these rights already allow unlimited execution of scripts, the additional impact due to this vulnerability is considered low (NVD).

The vulnerability has been patched in XWiki versions 15.10.12, 16.4.3, and 16.8.0-rc-1. No specific workarounds are available except for carefully managing script right permissions, which is a general security recommendation (GitHub Advisory).