VYPR
← All advisories
Medium severityOSV Advisory· Published May 30, 2025· Updated Apr 15, 2026

CVE-2025-48885

CVE-2025-48885

Description

application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to denature the structure of wiki pages, by creating 1000's of pages with random name, that then become very difficult to handle by admins. Version 1.2.4 fixes the issue. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

XWiki URL Shortener prior to 1.2.4 allows users with view access to create arbitrary pages, enabling guest users to flood the wiki with unwanted pages.

Vulnerability

The XWiki URL Shortener application (application-urlshortener) prior to version 1.2.4 lacks a check for whether a target document already exists before creating a short URL. This allows any user with view access—including unauthenticated guests—to create arbitrary pages in the wiki [1][2]. The root cause is that the shortener endpoint does not verify document existence before proceeding with creation.

Exploitation

An attacker can exploit this by issuing a crafted POST request to the URL shortener's REST endpoint, specifying a currentDocRef parameter for a non-existent page. For example:

curl -X POST -k -i 'http://localhost:8080/rest/p/create?currentDocRef=xwiki:caubin.test.WebHome'

Even without authentication, the request creates the specified document and adds a short URL object to it. No special privileges or prior knowledge of the wiki structure are required [2].

Impact

A guest user can mass-create thousands of pages with random names, making it extremely difficult for administrators to manage the wiki's page hierarchy. This effectively denatures the wiki structure and imposes a significant administrative burden. The vulnerability does not directly allow code execution or data theft, but it can disrupt normal wiki operations [2].

Mitigation

Version 1.2.4 of the URL Shortener fixes this issue by adding a check to ensure the target document already exists before creating the short URL [1]. No workarounds are available; users must upgrade to the patched version. The vulnerability is not known to be exploited in the wild, but the ease of exploitation warrants immediate patching.

References
  1. Merge commit from fork · xwikisas/application-urlshortener@f121a9c
  2. Users can create abritrary pages as long as they have view access to them

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Cryptpad/Application UrlshortenerOSV2 versions
    application-urlshortener-1.0, application-urlshortener-1.1, application-urlshortener-1.1.1, …+ 1 more
    • (no CPE)range: application-urlshortener-1.0, application-urlshortener-1.1, application-urlshortener-1.1.1, …
    • (no CPE)range: <1.2.4

Patches

2
bdc4bb7453f7
https://github.com/xwikisas/application-urlshortenervia osv
commit
f121a9c973fd
https://github.com/xwikisas/application-urlshortenervia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.