DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-32969: HQL Hell: Breaking XWiki with a Single Quote and a Dream

#security #cve #cybersecurity

HQL Hell: Breaking XWiki with a Single Quote and a Dream

Vulnerability ID: CVE-2025-32969
CVSS Score: 9.8
Published: 2025-04-23

A critical unauthenticated HQL injection vulnerability in XWiki's REST API allows attackers to break out of the Hibernate Query Language abstraction and execute raw SQL on the underlying database.

TL;DR

XWiki exposed a REST endpoint that accepts HQL queries. Due to a flaw in how 'short-form' queries were validated versus how they were executed, attackers can escape the HQL context. This results in unauthenticated Blind SQL Injection, leading to full database compromise and potential RCE. Rated CVSS 9.8.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-89 (SQL Injection)
  • Attack Vector: Network (REST API)
  • CVSS v3.1: 9.8 (Critical)
  • CVSS v4.0: 9.3 (Critical)
  • EPSS Score: 25.20%
  • EPSS Percentile: 96th Percentile
  • Exploit Status: PoC Available
  • Impact: Confidentiality, Integrity, Availability

Affected Systems

  • XWiki Platform < 15.10.16
  • XWiki Platform 16.0.0-rc-1 to < 16.4.6
  • XWiki Platform 16.5.0-rc-1 to < 16.10.1
  • XWiki Platform: 1.8 - < 15.10.16 (Fixed in: 15.10.16)
  • XWiki Platform: 16.0.0 - < 16.4.6 (Fixed in: 16.4.6)
  • XWiki Platform: 16.5.0 - < 16.10.1 (Fixed in: 16.10.1)

Code Analysis

Commit: 5c11a87

Fixed SQL injection in REST query endpoint by normalizing short-form queries before validation

 Modified HqlQueryExecutor.java to call toCompleteShortForm() before isSafeSelect()
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Nuclei: Time-based SQL injection template utilizing the sleep function

Mitigation Strategies

  • Upgrade to patched versions immediately.
  • Implement WAF rules to block requests containing SQL injection patterns (e.g., 'UNION', 'SLEEP') targeting the REST API.
  • Restrict access to /rest/ endpoints to trusted internal networks where possible.

Remediation Steps:

  1. Backup the XWiki database and configuration.
  2. Download the WAR distribution or package update for version 16.10.1 (or other fixed LTS versions).
  3. Replace the old xwiki-platform-rest-server JAR with the patched version.
  4. Restart the servlet container (Tomcat/Jetty).

References

Read the full report for CVE-2025-32969 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)