CrowdSec
3/10CrowdSec Score

XWiki-Platform - Information Disclosure (CVE-2025-29925)

Published on19-03-2025
First seen on04-09-2025
CVSS 8.7/10XWiki - Xwiki-platform

207Exploiting IPs reported

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.

CrowdSec analysis

CVE-2025-29925 is a high-severity vulnerability in XWiki Platform that allows unauthenticated users to enumerate protected page names via specific REST API endpoints, even when view permissions are restricted. This flaw could enable attackers to gather sensitive information about the structure and content of otherwise private wikis, potentially aiding in further targeted attacks or reconnaissance.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2025-29925 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. CrowdSec network telemetry also shows that exploitation of CVE-2025-29925 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit this vulnerability by sending unauthenticated GET requests to REST API endpoints such as /rest/wikis/xwiki/pages or /xwiki/rest/wikis/xwiki/pages, allowing them to enumerate and access metadata about private XWiki pages.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References