CVE-2025-24893 is an Eval Injection vulnerability (CWE-95) in the XWiki Platform's SolrSearch feature, allowing unauthenticated remote code execution. XWiki is a generic wiki platform widely used for collaborative content management and application runtime services. The vulnerability arises because the SolrSearch component improperly neutralizes directives embedded in user-supplied input, which are dynamically evaluated as Groovy code. An attacker can craft a malicious request to the SolrSearch endpoint with specially encoded payloads that inject Groovy code, which the server executes. The provided example demonstrates injecting a Groovy print statement that outputs a unique string in the RSS feed title, confirming code execution. This flaw impacts all XWiki installations running affected versions (>=5.3-milestone-2 and <15.10.11, and >=16.0.0-rc-1 and <16.4.1). Exploitation requires no authentication or user interaction, making it trivially exploitable remotely. The vulnerability compromises the confidentiality, integrity, and availability of the affected system, enabling attackers to execute arbitrary commands, manipulate data, or disrupt services. The issue was addressed by sanitizing the output in SolrSearchMacros.xml to serve content as application/xml rather than raw feed content, preventing code injection. Patches are available in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1. No known exploits are reported in the wild yet, but the high CVSS score and ease of exploitation make this a critical threat.

The impact of CVE-2025-24893 is severe for organizations using the XWiki Platform, as it allows unauthenticated remote attackers to execute arbitrary code on the server. This can lead to full system compromise, including unauthorized data access, data modification or deletion, service disruption, and potential lateral movement within the network. Confidential information stored or managed via XWiki can be exposed or altered, damaging organizational reputation and compliance posture. The availability of the wiki service can be disrupted, affecting business continuity. Since XWiki is used globally in enterprises, educational institutions, and government agencies, the vulnerability poses a significant risk to any organization relying on it for collaboration or application hosting. The lack of authentication and user interaction requirements increases the likelihood of automated exploitation and rapid spread. Organizations with public-facing XWiki instances are particularly vulnerable to targeted attacks or opportunistic scanning and exploitation.

To mitigate CVE-2025-24893, organizations should immediately upgrade affected XWiki Platform instances to versions 15.10.11, 16.4.1, or later. If upgrading is not immediately feasible, a temporary workaround involves editing the SolrSearchMacros.xml file, specifically modifying the 'Main.SolrSearchMacros' on line 955 to output the RSS feed content with a content type of 'application/xml' instead of raw feed content. This change prevents the dynamic evaluation of injected Groovy code. Additionally, organizations should restrict access to the SolrSearch endpoint using network-level controls such as firewalls or web application firewalls (WAFs) to limit exposure. Monitoring and logging access to the SolrSearch URL can help detect exploitation attempts. Implementing runtime application self-protection (RASP) or intrusion detection systems (IDS) that can identify suspicious Groovy code execution may also reduce risk. Finally, organizations should conduct thorough security reviews of custom macros or extensions that process user input dynamically to prevent similar injection flaws.