Platform
java
Component
org.xwiki.platform:xwiki-platform-skin-skinx
Fixed in
4.2.1
16.10.7
CVE-2025-55748 is a critical vulnerability affecting XWiki Platform, specifically the xwiki-platform-skin-skinx component. Attackers can exploit this flaw to access sensitive configuration files by manipulating URLs, potentially leading to data exposure and system compromise. This vulnerability impacts versions prior to 16.10.7, and a patch is available in version 16.10.7 and 17.4.0-rc-1.
The primary impact of CVE-2025-55748 is the unauthorized disclosure of configuration files within the XWiki Platform. By crafting specific URLs, an attacker can bypass intended access controls and retrieve files like xwiki.cfg from the WEB-INF directory. This file may contain sensitive information such as database credentials, API keys, or other configuration details that could be leveraged to further compromise the system. The vulnerability appears to be reproducible on Tomcat instances, expanding the potential attack surface. Successful exploitation could lead to data breaches, privilege escalation, and ultimately, complete system takeover.
CVE-2025-55748 was publicly disclosed on September 3, 2025. The vulnerability's simplicity and the potential for widespread impact suggest a moderate probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the ease of exploitation makes it a likely target. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Exploit Status
EPSS
0.57% (69% percentile)
CISA SSVC
The recommended mitigation for CVE-2025-55748 is to immediately upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. Since there is no known workaround other than upgrading, prioritize this action. If upgrading is not immediately feasible, consider implementing strict URL filtering rules within your web application firewall (WAF) or reverse proxy to block requests containing the malicious pattern ../../WEB-INF/xwiki.cfg. Monitor access logs for suspicious URL patterns. After upgrading, confirm the vulnerability is resolved by attempting the original exploit URL and verifying that access is denied.
Update XWiki Platform to version 16.10.7 or higher. This version corrects the vulnerability that allows unauthorized access to configuration files through the jsx and sx endpoints. The update will prevent the exposure of sensitive information.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-55748 is a critical vulnerability in XWiki Platform allowing attackers to read configuration files via crafted URLs, potentially exposing sensitive data.
You are affected if you are running XWiki Platform versions prior to 16.10.7 or 17.4.0-rc-1. Immediate action is required.
Upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. There is no known workaround other than upgrading.
While no public exploits are currently known, the vulnerability's simplicity suggests a potential for active exploitation. Monitoring is crucial.
Refer to the XWiki Jira issue tracker for the latest information and updates: https://jira.xwiki.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.