CVE-2025-49580: 
Java vulnerability analysis and mitigation

CVE-2025-49580 is a privilege escalation vulnerability discovered in XWiki, a generic wiki platform. The vulnerability affects versions from 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, and was disclosed on June 13, 2025. The issue allows pages to gain unauthorized script or programming rights when they contain a link and the target of the link is renamed or moved (GitHub Advisory, NVD).

The vulnerability stems from a privilege handling issue in the link refactoring operations. When links are modified during refactoring operations (e.g., page rename), the document is saved using the current author as metadata author, which can lead to privilege escalation. The vulnerability has been assigned a CVSS v4.0 base score of 8.5 (High), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The issue is classified as CWE-266 (Incorrect Privilege Assignment) (GitHub Advisory, Wiz).

The vulnerability can lead to the execution of scripts contained in xobjects that should have never been executed. This could result in unauthorized script execution with elevated privileges, potentially compromising the confidentiality, integrity, and availability of the system. The attack might enable execution of any script, leading to potential system compromise (GitHub Advisory).

The vulnerability has been patched in XWiki versions 16.4.7, 17.1.0-rc-1, and 16.10.4. The fix involves only setting the originalMetadataAuthor when performing such changes, ensuring it's displayed in the history without impacting right evaluation. If upgrading is not possible, administrators can apply the patch to the xwiki-platform-refactoring-default module specifically. The only workaround without patching is to prevent users from performing any refactoring operations with users having more than edit rights (GitHub Advisory).