Moderate severityNVD Advisory· Published Aug 28, 2025· Updated Aug 28, 2025
XWiki PDF export jobs store sensitive cookies unencrypted in job statuses
CVE-2025-58049
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-export-pdf-apiMaven | >= 14.4.2, < 16.4.8 | 16.4.8 |
org.xwiki.platform:xwiki-platform-export-pdf-apiMaven | >= 16.5.0-rc-1, < 16.10.7 | 16.10.7 |
org.xwiki.platform:xwiki-platform-export-pdf-apiMaven | >= 17.0.0-rc-1, < 17.4.0-rc-1 | 17.4.0-rc-1 |
Affected products
1- Range: >= 14.4.2, < 16.4.8
Patches
160982ad0057bXWIKI-23151: Cleanup the PDF export job request after the job is finished
2 files changed · +31 −0
xwiki-platform-core/xwiki-platform-export/xwiki-platform-export-pdf/xwiki-platform-export-pdf-api/src/main/java/org/xwiki/export/pdf/internal/job/PDFExportJob.java+16 −0 modified@@ -76,6 +76,22 @@ public class PDFExportJob extends AbstractPDFExportJob @Override protected void runInternal() throws Exception + { + try { + exportAsPDF(); + } finally { + cleanup(); + } + } + + private void cleanup() + { + // Avoid saving sensitive information along with the PDF export job status. This information is not needed + // anymore after the PDF export job is done (whether the PDF is generated client-side or server-side). + getRequest().getContext().keySet().removeAll(List.of("request.session", "request.headers", "request.cookies")); + } + + private void exportAsPDF() throws Exception { if (!this.request.getDocuments().isEmpty()) { this.requiredSkinExtensionsRecorder.start();
xwiki-platform-core/xwiki-platform-export/xwiki-platform-export-pdf/xwiki-platform-export-pdf-api/src/test/java/org/xwiki/export/pdf/internal/job/PDFExportJobTest.java+15 −0 modified@@ -20,6 +20,7 @@ package org.xwiki.export.pdf.internal.job; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertSame; import static org.junit.jupiter.api.Assertions.fail; @@ -159,6 +160,7 @@ void runServerSide() throws Exception when(this.pdfPrinter.print(printPreviewURL)).thenReturn(pdfContent); this.request.setServerSide(true); + this.request.getContext().put("request.session", "session"); this.pdfExportJob.initialize(this.request); this.pdfExportJob.runInternal(); @@ -170,11 +172,14 @@ void runServerSide() throws Exception TemporaryResourceReference pdfFileReference = jobStatus.getPDFFileReference(); verify(this.temporaryResourceStore).createTemporaryFile(pdfFileReference, pdfContent); + + assertFalse(this.request.getContext().containsKey("request.session")); } @Test void runClientSide() throws Exception { + this.request.getContext().put("request.headers", "headers"); this.pdfExportJob.initialize(this.request); this.pdfExportJob.runInternal(); @@ -188,6 +193,8 @@ void runClientSide() throws Exception assertEquals(2, renderingResults.size()); assertSame(this.firstPageRendering, renderingResults.get(0)); assertSame(this.secondPageRendering, renderingResults.get(1)); + + assertFalse(this.request.getContext().containsKey("request.headers")); } @Test @@ -216,6 +223,7 @@ void runWithTemplateSpecified() throws Exception @Test void runWithoutDocuments() throws Exception { + this.request.getContext().put("request.cookies", "cookies"); this.request.setDocuments(Collections.emptyList()); this.pdfExportJob.initialize(this.request); this.pdfExportJob.runInternal(); @@ -224,6 +232,8 @@ void runWithoutDocuments() throws Exception assertNull(jobStatus.getPDFFileReference()); assertNull(jobStatus.getRequiredSkinExtensions()); assertEquals(0, jobStatus.getDocumentRenderingResults().size()); + + assertFalse(this.request.getContext().containsKey("request.cookies")); } @Test @@ -233,6 +243,8 @@ void runWithContentSizeLimitExceeded() throws Exception new XDOM(Collections.singletonList(new WordBlock("second"))), StringUtils.repeat('x', 1000)); when(this.documentRenderer.render(this.secondPageReference, this.rendererParameters)).thenReturn(largeResult); + this.request.getContext().put("request.cookies", "cookies"); + this.request.getContext().put("request.foo", "bar"); this.pdfExportJob.initialize(this.request); try { this.pdfExportJob.runInternal(); @@ -243,6 +255,9 @@ void runWithContentSizeLimitExceeded() throws Exception + " or disable this limit from the PDF Export administration section or from XWiki properties.", e.getMessage()); } + + assertFalse(this.request.getContext().containsKey("request.cookies")); + assertEquals("bar", this.request.getContext().get("request.foo")); } @Test
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9m7c-m33f-3429ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58049ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-23151ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.