CVE-2025-32970

Description

### Impact An open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirect to any URL. To reproduce, open `<xwiki-host>/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://www.example.com/` where `<xwiki-host>` is the URL of your XWiki installation. ### Patches This bug has been fixed in XWiki 15.10.13, 16.4.4 and 16.8.0 by validating the domain of the redirect URL against the configured safe domains and the current request's domain. ### Workarounds A web application firewall could be configured to reject requests with the `xerror` parameter as from our analysis this parameter isn't used anymore. For requests with the `RequiresHTMLConversion` parameter set, the referrer URL should be checked if it points to the XWiki installation. Apart from that, we're not aware of any workarounds.

How to fix CVE-2025-32970

To remediate CVE-2025-32970, upgrade the affected package to a fixed version below.

• —upgrade to 15.10.13 or later

Is CVE-2025-32970 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 13.5-rc-1, < 15.10.13

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-32970
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/commit/6dab7909f45deb00efd36a0cd47788e95ad64802
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-pjhg-9wr9-rj96