CVE-2025-54125: 
Java vulnerability analysis and mitigation

CVE-2025-54125 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability exists in XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0. The issue allows any user with view rights to access sensitive information by appending ?xpage=xml to a page's URL (GitHub Advisory).

The vulnerability is related to the XML export functionality where password and email properties stored on a document that aren't specifically named 'password' or 'email' are exposed in the XML output. The issue has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) (GitHub Advisory).

The vulnerability allows unauthorized access to salted and hashed user account validation or password reset tokens. While these tokens are randomly generated strings with relatively low immediate impact, the risk increases if the wiki uses extensions or custom code that store passwords in plain text in such password properties. The exposure of these properties could lead to unauthorized access to sensitive information (GitHub Advisory).

The vulnerability has been fixed in versions 16.4.7, 16.10.5, and 17.2.0-rc-1 by completely removing the output of password and email fields in the XML export. As a workaround, if the XML export functionality isn't needed, administrators can delete the file templates/xml.vm in the deployed WAR. There are no XWiki features that depend on this XML export (GitHub Advisory).