CVE-2025-54125: 
Java vulnerability analysis and mitigation

CVE-2025-54125 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability exists in versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0. The issue allows any user with view rights to access password and email properties stored in documents by appending ?xpage=xml to the URL, even when these properties aren't explicitly named 'password' or 'email'. This vulnerability was discovered in January 2025 and patched in versions 16.4.7, 16.10.5, and 17.2.0-rc-1 (GitHub Advisory).

The vulnerability is classified as High severity with a CVSS v4.0 base score of 8.7. The attack vector is Network (N) with Low (L) attack complexity, requiring No (N) privileges or user interaction. The vulnerability stems from improper filtering of sensitive fields in the XML export functionality, which only filters properties explicitly named 'password' and 'email' but fails to protect similarly sensitive fields with different names. This exposure occurs when accessing a page's XML view through the ?xpage=xml URL parameter (GitHub Advisory, NVD).

The vulnerability primarily exposes salted and hashed user account validation tokens and password reset tokens. While these tokens are randomly generated strings, making the immediate impact relatively low, the risk increases significantly if the wiki contains extensions or custom code that store passwords in plain text in such properties. The exposure of email properties could also lead to unauthorized access to users' contact information (GitHub Advisory).

The vulnerability has been patched in XWiki Platform versions 16.4.7, 16.10.5, and 17.2.0-rc-1. For users unable to update immediately, a workaround exists: the file templates/xml.vm in the deployed WAR can be deleted if the XML export functionality isn't needed. It's noted that no feature in XWiki itself depends on this XML export (GitHub Advisory).