Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing
Description
A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.
Apache JSPWiki users should upgrade to 2.12.3 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache JSPWiki header links and markdown parser improperly sanitized input, allowing stored XSS and sensitive data exfiltration.
Vulnerability
Overview
CVE-2025-24853 is a stored cross-site scripting (XSS) vulnerability affecting Apache JSPWiki. The root cause is insufficient sanitization of user-supplied input when creating header links using wiki markup syntax. The JSPWiki team later confirmed that the markdown parser was similarly vulnerable, allowing an attacker to inject arbitrary JavaScript into page content.
Attack
Vector and Exploitation
An attacker can craft a malicious wiki markup or markdown header link that, when rendered by the wiki engine, executes arbitrary JavaScript in the context of a victim's browser. No special privileges beyond the ability to create or edit wiki content are required, making this a low-complexity, network-based attack. The injected script runs when any user views the affected page, and the attack does not require prior authentication beyond standard wiki editing permissions.[1]
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to the exfiltration of sensitive information such as session cookies, authentication tokens, or other private data accessible through the victim's session. The vulnerability falls under the stored XSS category, meaning the malicious payload persists on the wiki and affects all subsequent visitors until removed.
Mitigation
The Apache JSPWiki project has released version 2.12.3, which addresses the issue by ensuring proper HTML entity escaping when the jspwiki.translatorReader.allowHTML property is disabled, and by making the markdown parser respect that property. The fix is included in commit 402f9a1 and merged via pull request #376.[3][4] Users are strongly advised to upgrade to the latest version; no workarounds have been published for earlier releases.[1][2]
- NVD - CVE-2025-24853
- GitHub - apache/jspwiki: Apache JSPWiki is a leading open source WikiWiki engine, feature-rich and built around standard JEE components (Java, servlets, JSP)
- Merge pull request #376 from arturobernalg/JSPWIKI-1204 · apache/jspwiki@f4089cb
- [SECURITY][XBOW-024-109] Fix XSS vulnerability in header link rendering · apache/jspwiki@402f9a1
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-mainMaven | < 2.12.3 | 2.12.3 |
org.apache.jspwiki:jspwiki-markdownMaven | < 2.12.3 | 2.12.3 |
Affected products
2- Apache Software Foundation/Apache JSPWikiv5Range: 0
Patches
2f4089cb6d532Merge pull request #376 from arturobernalg/JSPWIKI-1204
5 files changed · +48 −3
ChangeLog.md+10 −0 modified@@ -17,6 +17,16 @@ specific language governing permissions and limitations under the License. --> +**2024-12-24 Arturo Bernal (abernal AT apache DOT org)** + +* _2.12.3-git-04_ + +* Fix for [SECURITY][DISCUSS] XBOW-024-109 XSS in JSPWiki Header Link Name + * Addressed XSS vulnerability in JSPWiki header link name by ensuring proper HTML escaping when `jspwiki.translatorReader.allowHTML` is disabled. + * Fixed markdown module to respect `jspwiki.translatorReader.allowHTML` property, preventing XSS in markdown syntax. + * Changes include improved input sanitization and added appropriate tests for validation. + + **2024-12-19 Juan Pablo Santos (juanpablo AT apache DOT org)** * _2.12.3-git-03_
jspwiki-api/src/main/java/org/apache/wiki/api/Release.java+1 −1 modified@@ -69,7 +69,7 @@ public final class Release { * <p> * If the build identifier is empty, it is not added. */ - public static final String BUILD = "03"; + public static final String BUILD = "04"; /** * This is the generic version string you should use when printing out the version. It is of
jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java+6 −2 modified@@ -1,4 +1,4 @@ -/* + /* Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information @@ -298,7 +298,11 @@ private Element makeLink( int type, final String link, String text, String secti case LOCAL: el = new Element( "a" ).setAttribute( "class", CLASS_FOOTNOTE ); el.setAttribute( "name", "ref-" + m_context.getName() + "-" + link.substring( 1 ) ); - el.addContent( "[" + text + "]" ); + if( !m_allowHTML ) { + el.addContent( "[" + escapeHTMLEntities( text ) + "]" ); + } else { + el.addContent( "[" + text + "]" ); + } break; // With the image, external and interwiki types we need to make sure nobody can put in Javascript or
jspwiki-main/src/test/java/org/apache/wiki/parser/JSPWikiMarkupParserTest.java+28 −0 modified@@ -1947,4 +1947,32 @@ public void testAmpersand2() throws Exception { "----\n" + "author: [Asser], [Ebu], [JanneJalkanen], [Jarmo|mailto:jarmo@regex.com.au]\n"; + + @Test + public void testEscapeHTMLWhenHTMLNotAllowed() throws Exception { + final String src = "This should be a [#1 <script>alert('XSS')</script>]"; + testEngine = TestEngine.build(with("jspwiki.translatorReader.allowHTML", "false")); // Disable HTML + final Page page = Wiki.contents().page(testEngine, PAGE_NAME); + final String output = translate(testEngine, page, src); + Assertions.assertEquals( + "This should be a <a class=\"footnote\" name=\"ref-testpage-1 <script>alert('XSS')</script>\">[#1 <script>alert('XSS')</script>]</a>", + output + ); + } + + + @Test + public void testNoEscapeHTMLWhenHTMLAllowed() throws Exception { + final String src = "This should be a [#1 <b>bold</b>]"; + testEngine = TestEngine.build(with("jspwiki.translatorReader.allowHTML", "true")); // Enable HTML + final Page page = Wiki.contents().page(testEngine, PAGE_NAME); + final String output = translate(testEngine, page, src); + Assertions.assertEquals( + "This should be a <a class=\"footnote\" name=\"ref-testpage-1 <b>bold</b>\">[#1 <b>bold</b>]</a>", + output + ); + } + + + } \ No newline at end of file
jspwiki-markdown/src/main/java/org/apache/wiki/parser/markdown/MarkdownDocument.java+3 −0 modified@@ -23,6 +23,7 @@ Licensed to the Apache Software Foundation (ASF) under one import com.vladsch.flexmark.ext.footnotes.FootnoteExtension; import com.vladsch.flexmark.ext.tables.TablesExtension; import com.vladsch.flexmark.ext.toc.TocExtension; +import com.vladsch.flexmark.html.HtmlRenderer; import com.vladsch.flexmark.parser.Parser; import com.vladsch.flexmark.parser.ParserEmulationProfile; import com.vladsch.flexmark.util.ast.Node; @@ -33,6 +34,7 @@ Licensed to the Apache Software Foundation (ASF) under one import org.apache.wiki.api.core.Page; import org.apache.wiki.markdown.MarkdownForJSPWikiExtension; import org.apache.wiki.parser.JSPWikiMarkupParser; +import org.apache.wiki.parser.MarkupParser; import org.apache.wiki.parser.WikiDocument; import java.util.Arrays; @@ -69,6 +71,7 @@ public static MutableDataSet options( final Context context, final boolean isIma options.set( AttributesExtension.ASSIGN_TEXT_ATTRIBUTES, true ); // align style of Markdown's footnotes extension with jspwiki footnotes refs options.set( FootnoteExtension.FOOTNOTE_LINK_REF_CLASS, JSPWikiMarkupParser.CLASS_FOOTNOTE_REF ); + options.set( HtmlRenderer.ESCAPE_HTML, context.getBooleanWikiProperty( MarkupParser.PROP_ALLOWHTML, false)); options.set( Parser.EXTENSIONS, Arrays.asList( new Extension[] { new MarkdownForJSPWikiExtension( context, isImageInlining, inlineImagePatterns ), AttributesExtension.create(), DefinitionExtension.create(),
402f9a18b57d[SECURITY][XBOW-024-109] Fix XSS vulnerability in header link rendering
5 files changed · +48 −3
ChangeLog.md+10 −0 modified@@ -17,6 +17,16 @@ specific language governing permissions and limitations under the License. --> +**2024-12-24 Arturo Bernal (abernal AT apache DOT org)** + +* _2.12.3-git-04_ + +* Fix for [SECURITY][DISCUSS] XBOW-024-109 XSS in JSPWiki Header Link Name + * Addressed XSS vulnerability in JSPWiki header link name by ensuring proper HTML escaping when `jspwiki.translatorReader.allowHTML` is disabled. + * Fixed markdown module to respect `jspwiki.translatorReader.allowHTML` property, preventing XSS in markdown syntax. + * Changes include improved input sanitization and added appropriate tests for validation. + + **2024-12-19 Juan Pablo Santos (juanpablo AT apache DOT org)** * _2.12.3-git-03_
jspwiki-api/src/main/java/org/apache/wiki/api/Release.java+1 −1 modified@@ -69,7 +69,7 @@ public final class Release { * <p> * If the build identifier is empty, it is not added. */ - public static final String BUILD = "03"; + public static final String BUILD = "04"; /** * This is the generic version string you should use when printing out the version. It is of
jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java+6 −2 modified@@ -1,4 +1,4 @@ -/* + /* Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information @@ -298,7 +298,11 @@ private Element makeLink( int type, final String link, String text, String secti case LOCAL: el = new Element( "a" ).setAttribute( "class", CLASS_FOOTNOTE ); el.setAttribute( "name", "ref-" + m_context.getName() + "-" + link.substring( 1 ) ); - el.addContent( "[" + text + "]" ); + if( !m_allowHTML ) { + el.addContent( "[" + escapeHTMLEntities( text ) + "]" ); + } else { + el.addContent( "[" + text + "]" ); + } break; // With the image, external and interwiki types we need to make sure nobody can put in Javascript or
jspwiki-main/src/test/java/org/apache/wiki/parser/JSPWikiMarkupParserTest.java+28 −0 modified@@ -1947,4 +1947,32 @@ public void testAmpersand2() throws Exception { "----\n" + "author: [Asser], [Ebu], [JanneJalkanen], [Jarmo|mailto:jarmo@regex.com.au]\n"; + + @Test + public void testEscapeHTMLWhenHTMLNotAllowed() throws Exception { + final String src = "This should be a [#1 <script>alert('XSS')</script>]"; + testEngine = TestEngine.build(with("jspwiki.translatorReader.allowHTML", "false")); // Disable HTML + final Page page = Wiki.contents().page(testEngine, PAGE_NAME); + final String output = translate(testEngine, page, src); + Assertions.assertEquals( + "This should be a <a class=\"footnote\" name=\"ref-testpage-1 <script>alert('XSS')</script>\">[#1 <script>alert('XSS')</script>]</a>", + output + ); + } + + + @Test + public void testNoEscapeHTMLWhenHTMLAllowed() throws Exception { + final String src = "This should be a [#1 <b>bold</b>]"; + testEngine = TestEngine.build(with("jspwiki.translatorReader.allowHTML", "true")); // Enable HTML + final Page page = Wiki.contents().page(testEngine, PAGE_NAME); + final String output = translate(testEngine, page, src); + Assertions.assertEquals( + "This should be a <a class=\"footnote\" name=\"ref-testpage-1 <b>bold</b>\">[#1 <b>bold</b>]</a>", + output + ); + } + + + } \ No newline at end of file
jspwiki-markdown/src/main/java/org/apache/wiki/parser/markdown/MarkdownDocument.java+3 −0 modified@@ -23,6 +23,7 @@ Licensed to the Apache Software Foundation (ASF) under one import com.vladsch.flexmark.ext.footnotes.FootnoteExtension; import com.vladsch.flexmark.ext.tables.TablesExtension; import com.vladsch.flexmark.ext.toc.TocExtension; +import com.vladsch.flexmark.html.HtmlRenderer; import com.vladsch.flexmark.parser.Parser; import com.vladsch.flexmark.parser.ParserEmulationProfile; import com.vladsch.flexmark.util.ast.Node; @@ -33,6 +34,7 @@ Licensed to the Apache Software Foundation (ASF) under one import org.apache.wiki.api.core.Page; import org.apache.wiki.markdown.MarkdownForJSPWikiExtension; import org.apache.wiki.parser.JSPWikiMarkupParser; +import org.apache.wiki.parser.MarkupParser; import org.apache.wiki.parser.WikiDocument; import java.util.Arrays; @@ -69,6 +71,7 @@ public static MutableDataSet options( final Context context, final boolean isIma options.set( AttributesExtension.ASSIGN_TEXT_ATTRIBUTES, true ); // align style of Markdown's footnotes extension with jspwiki footnotes refs options.set( FootnoteExtension.FOOTNOTE_LINK_REF_CLASS, JSPWikiMarkupParser.CLASS_FOOTNOTE_REF ); + options.set( HtmlRenderer.ESCAPE_HTML, context.getBooleanWikiProperty( MarkupParser.PROP_ALLOWHTML, false)); options.set( Parser.EXTENSIONS, Arrays.asList( new Extension[] { new MarkdownForJSPWikiExtension( context, isImageInlining, inlineImagePatterns ), AttributesExtension.create(), DefinitionExtension.create(),
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-rrff-chj9-w4c7ghsaADVISORY
- jspwiki-wiki.apache.org/Wiki.jspghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24853ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/07/30/2ghsaWEB
- github.com/apache/jspwiki/commit/402f9a18b57dd910afba0139e6d3112d54ad650aghsaWEB
- github.com/apache/jspwiki/commit/f4089cb6d53223c2c291196ba687753a8b0422cfghsaWEB
- github.com/apache/jspwiki/pull/376ghsaWEB
News mentions
0No linked articles in our index yet.