CVE-2025-58049 is a medium-severity vulnerability affecting multiple versions of the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability arises from improper handling of sensitive information during PDF export jobs. Specifically, in affected versions ranging from 14.4.2 up to but not including 16.4.8, 16.5.0-rc-1 up to but not including 16.10.7, and 17.0.0-rc-1 up to but not including 17.4.0-rc-1, the platform stores sensitive cookies, including potentially authentication cookies, unencrypted within the job status data. This violates secure coding practices outlined in CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) and CWE-257 (Storing Passwords in Plaintext). The vulnerability allows an attacker with access to the job status data—such as through backups of the data directory—to retrieve sensitive cookies in plaintext. These cookies could be used to hijack sessions or escalate privileges, compromising confidentiality. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N) indicates that exploitation requires network access, high attack complexity, and high privileges, but no user interaction. The impact is primarily on confidentiality, with no direct effect on integrity or availability. The vulnerability has been patched in versions 16.4.8, 16.10.7, and 17.4.0-rc-1. No known exploits are currently reported in the wild.

For European organizations using affected versions of XWiki Platform, this vulnerability poses a risk of sensitive cookie leakage, potentially leading to unauthorized access to internal wiki resources or administrative functions. Since wikis often contain critical documentation, project plans, and internal communications, exposure of authentication cookies could enable attackers to impersonate legitimate users, leading to data breaches or lateral movement within networks. The confidentiality breach could result in intellectual property theft, compliance violations (e.g., GDPR), and reputational damage. The requirement for high privileges to exploit the vulnerability somewhat limits the attack surface; however, insider threats or attackers who have already gained elevated access could leverage this flaw to deepen their foothold. The lack of impact on integrity and availability reduces the risk of direct data manipulation or service disruption but does not diminish the seriousness of unauthorized data exposure.

European organizations should immediately assess their XWiki Platform deployments and identify if they are running affected versions. The primary mitigation is to upgrade to the patched versions: 16.4.8, 16.10.7, or 17.4.0-rc-1 or later. If immediate upgrade is not feasible, organizations should restrict access to backup data and job status storage locations to trusted administrators only, implement strict access controls, and monitor for unusual access patterns. Additionally, reviewing and rotating authentication cookies and session tokens after patching can reduce risk from previously leaked credentials. Organizations should also audit their logging and backup processes to ensure sensitive information is not stored in plaintext elsewhere. Employing encryption at rest for backups and sensitive data stores can further mitigate exposure. Finally, educating privileged users about the risks of storing sensitive data unencrypted and enforcing the principle of least privilege will help reduce exploitation likelihood.