CVE-2025-49584: 
Java vulnerability analysis and mitigation

CVE-2025-49584 affects XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1. The vulnerability was discovered on December 17, 2024, and publicly disclosed on June 13, 2025. The issue allows unauthorized access to page titles through the REST API when an XClass with a page property is accessible, which is the default configuration for an XWiki installation (GitHub Advisory).

The vulnerability exists in the REST API's class property values functionality. When a page reference is known, an attacker can access the title of that page through the REST API endpoint, even without proper view permissions. This is possible as long as there is an accessible XClass with a page property. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, indicating it can be exploited remotely with no special requirements (GitHub Advisory).

The impact severity depends on the page naming strategy used in the XWiki installation. In default configurations where page names match their titles, the impact is considered low. However, in cases where page names are intentionally obfuscated because titles contain sensitive information, the impact could be high. The vulnerability does not affect fully private wikis as the REST endpoint checks access rights on the XClass definition (GitHub Advisory).

The vulnerability has been fixed in XWiki versions 16.4.7, 16.10.3, and 17.0.0 by implementing proper access control checks before retrieving any page title. The fix involves adding view right verification before rendering titles. No workarounds are available for affected versions, making upgrading to a patched version the only solution (GitHub Advisory).