Is org.xwiki.contrib.oidc:oidc-authenticator affected by CVE-2025-49594?

Maven org.xwiki.contrib.oidc:oidc-authenticator is affected in >=2.17.1 <2.18.2.

Is CVE-2025-49594 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

critical

CVE-2025-49594

Q: Is CVE-2025-49594 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

Maven · org.xwiki.contrib.oidc:oidc-authenticator

Summary

XWiki OIDC Authenticator: Users with "view" access can create tokens for any users they can view

Severity: critical
EPSS: 0.5% (p41)
Also known as: GHSA-f2hf-pfrj-vrm7
Published: 2025-10-06

References

https://github.com/xwiki-contrib/oidc/security/advisories/GHSA-f2hf-pfrj-vrm7
https://nvd.nist.gov/vuln/detail/CVE-2025-49594
https://github.com/xwiki-contrib/oidc/commit/d90d717172283aaa96bb5bb44e357f910ae64adb

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.