CVE-2025-54385: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, contains a SQL injection vulnerability (CVE-2025-54385) affecting versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below. The vulnerability was discovered and disclosed on July 26, 2025. The issue allows attackers to execute arbitrary SQL queries in Oracle by using functions like DBMSXMLGEN or DBMSXMLQUERY through the XWiki#searchDocuments APIs (GitHub Advisory).

The vulnerability stems from insufficient query validation in the XWiki#searchDocuments APIs, which pass queries directly to Hibernate without proper sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in other parts of the query, such as the WHERE clause. The vulnerability has been assigned a CVSS v4.0 score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

A successful exploitation of this vulnerability could allow attackers to execute arbitrary SQL queries in Oracle databases using functions like DBMSXMLGEN or DBMSXMLQUERY. This could potentially lead to unauthorized access to database contents, data manipulation, and possible system compromise (GitHub Advisory).

The vulnerability has been fixed in versions 16.10.6 and 17.3.0-rc-1. There are no known workarounds other than upgrading to the patched versions. Users are strongly advised to upgrade their XWiki installations to these or later versions to protect against this vulnerability (GitHub Advisory).