CVE-2025-48063: 
Java vulnerability analysis and mitigation

XWiki, a generic wiki platform, introduced a security vulnerability (CVE-2025-48063) in version 16.10.0 related to required rights functionality. The vulnerability was discovered and disclosed on May 21, 2025, affecting versions 16.10.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0-rc-1. The issue allows users with only edit rights to set programming rights as required rights, potentially leading to unauthorized privilege escalation (GitHub Advisory).

The vulnerability stems from a bug in the implementation of the required rights enforcement rule. The security model was designed to prevent users from defining rights they don't possess as required rights. However, the flawed implementation allowed any user with edit rights to set programming rights as required rights on a document. When a user with programming rights subsequently edited the document, the content would gain programming rights, enabling potential remote code execution. The vulnerability has been assigned a CVSS v4.0 base score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

The impact of this vulnerability is considered low, despite the potential for gaining programming rights which could lead to remote code execution. This assessment is based on two factors: first, the vulnerability only provides additional attack surface if all documents in the wiki enforce required rights; second, XWiki still performs required rights analysis when a user edits a page, warning users with programming rights about dangerous content unless the attacker manages to bypass this check (GitHub Advisory, XWIKI Jira).

The vulnerability has been patched in XWiki versions 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading to these patched versions (GitHub Advisory).