Plateforme
java
Composant
org.xwiki.platform:xwiki-platform-webjars-api
Corrigé dans
6.1.1
16.10.7
16.10.7
CVE-2025-55747 describes a path traversal vulnerability discovered in the XWiki Platform Webjars API. This flaw allows attackers to potentially access and read sensitive configuration files by manipulating URLs, bypassing intended access controls. The vulnerability impacts versions of XWiki Platform prior to 16.10.7 and 17.4.0-rc-1, and a patch is available to address the issue.
The primary impact of CVE-2025-55747 is the unauthorized disclosure of sensitive information. By crafting malicious URLs, an attacker can traverse the file system and access files outside of the intended web root. Specifically, the vulnerability allows access to the xwiki.cfg file, which contains configuration details for the XWiki platform. Exposure of this file could reveal database credentials, API keys, and other sensitive settings, enabling further exploitation and potentially leading to complete system compromise. This vulnerability is similar in concept to other path traversal attacks, where improper input validation allows attackers to navigate outside of intended directories.
CVE-2025-55747 was publicly disclosed on September 3, 2025. As of this date, there are no reports of active exploitation in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's ease of exploitation suggests a potential for future exploitation if left unpatched.
Organizations deploying XWiki Platform, particularly those with publicly accessible instances, are at risk. Legacy XWiki installations and those with misconfigured access controls are especially vulnerable. Shared hosting environments where multiple users share the same XWiki instance also face increased risk.
• java / server:
ps aux | grep xwiki• java / server:
journalctl -u xwiki | grep -i "webjars"• generic web:
curl -I http://<target>/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfgdisclosure
Statut de l'Exploit
EPSS
1.99% (percentile 83%)
CISA SSVC
The recommended mitigation for CVE-2025-55747 is to immediately upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. These versions include a fix that prevents the path traversal vulnerability. As there is no known workaround, upgrading is the only viable solution. If upgrading is not immediately feasible, consider implementing strict input validation on all URL parameters to prevent malicious path manipulation. While not a direct fix, this can provide a temporary layer of defense. After upgrading, confirm the fix by attempting to access the vulnerable URL (http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg) and verifying that access is denied.
Mettez à jour XWiki Platform à la version 16.10.7 ou supérieure. Cette version corrige la vulnérabilité qui permet un accès non autorisé aux fichiers de configuration via l'API webjars. La mise à jour garantit que les fichiers de configuration sont protégés et ne sont pas accessibles publiquement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-55747 is a critical path traversal vulnerability in the XWiki Platform Webjars API that allows attackers to read sensitive configuration files by manipulating URLs.
Yes, if you are running XWiki Platform versions prior to 16.10.7 or 17.4.0-rc-1, you are vulnerable to this path traversal vulnerability.
Upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. There is no known workaround other than upgrading.
As of September 3, 2025, there are no reports of active exploitation in the wild, but the vulnerability's ease of exploitation suggests a potential for future exploitation.
You can find the official advisory on the XWiki Jira issue tracker: https://jira.xwiki.org/browse/XWIKI-19350
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.