Plattform
java
Komponente
org.xwiki.platform:xwiki-platform-webjars-api
Behoben in
6.1.1
16.10.7
16.10.7
CVE-2025-55747 describes a path traversal vulnerability discovered in the XWiki Platform Webjars API. This flaw allows attackers to potentially access and read sensitive configuration files by manipulating URLs, bypassing intended access controls. The vulnerability impacts versions of XWiki Platform prior to 16.10.7 and 17.4.0-rc-1, and a patch is available to address the issue.
The primary impact of CVE-2025-55747 is the unauthorized disclosure of sensitive information. By crafting malicious URLs, an attacker can traverse the file system and access files outside of the intended web root. Specifically, the vulnerability allows access to the xwiki.cfg file, which contains configuration details for the XWiki platform. Exposure of this file could reveal database credentials, API keys, and other sensitive settings, enabling further exploitation and potentially leading to complete system compromise. This vulnerability is similar in concept to other path traversal attacks, where improper input validation allows attackers to navigate outside of intended directories.
CVE-2025-55747 was publicly disclosed on September 3, 2025. As of this date, there are no reports of active exploitation in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's ease of exploitation suggests a potential for future exploitation if left unpatched.
Organizations deploying XWiki Platform, particularly those with publicly accessible instances, are at risk. Legacy XWiki installations and those with misconfigured access controls are especially vulnerable. Shared hosting environments where multiple users share the same XWiki instance also face increased risk.
• java / server:
ps aux | grep xwiki• java / server:
journalctl -u xwiki | grep -i "webjars"• generic web:
curl -I http://<target>/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfgdisclosure
Exploit-Status
EPSS
1.99% (83% Perzentil)
CISA SSVC
The recommended mitigation for CVE-2025-55747 is to immediately upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. These versions include a fix that prevents the path traversal vulnerability. As there is no known workaround, upgrading is the only viable solution. If upgrading is not immediately feasible, consider implementing strict input validation on all URL parameters to prevent malicious path manipulation. While not a direct fix, this can provide a temporary layer of defense. After upgrading, confirm the fix by attempting to access the vulnerable URL (http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg) and verifying that access is denied.
Aktualisieren Sie XWiki Platform auf Version 16.10.7 oder höher. Diese Version behebt die Schwachstelle, die unautorisierten Zugriff auf Konfigurationsdateien über die webjars API ermöglicht. Das Update stellt sicher, dass die Konfigurationsdateien geschützt sind und nicht öffentlich zugänglich sind.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-55747 is a critical path traversal vulnerability in the XWiki Platform Webjars API that allows attackers to read sensitive configuration files by manipulating URLs.
Yes, if you are running XWiki Platform versions prior to 16.10.7 or 17.4.0-rc-1, you are vulnerable to this path traversal vulnerability.
Upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. There is no known workaround other than upgrading.
As of September 3, 2025, there are no reports of active exploitation in the wild, but the vulnerability's ease of exploitation suggests a potential for future exploitation.
You can find the official advisory on the XWiki Jira issue tracker: https://jira.xwiki.org/browse/XWIKI-19350
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.