平台
java
组件
org.xwiki.platform:xwiki-platform-webjars-api
修复版本
6.1.1
16.10.7
16.10.7
CVE-2025-55747 describes a path traversal vulnerability discovered in the XWiki Platform Webjars API. This flaw allows attackers to potentially access and read sensitive configuration files by manipulating URLs, bypassing intended access controls. The vulnerability impacts versions of XWiki Platform prior to 16.10.7 and 17.4.0-rc-1, and a patch is available to address the issue.
The primary impact of CVE-2025-55747 is the unauthorized disclosure of sensitive information. By crafting malicious URLs, an attacker can traverse the file system and access files outside of the intended web root. Specifically, the vulnerability allows access to the xwiki.cfg file, which contains configuration details for the XWiki platform. Exposure of this file could reveal database credentials, API keys, and other sensitive settings, enabling further exploitation and potentially leading to complete system compromise. This vulnerability is similar in concept to other path traversal attacks, where improper input validation allows attackers to navigate outside of intended directories.
CVE-2025-55747 was publicly disclosed on September 3, 2025. As of this date, there are no reports of active exploitation in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's ease of exploitation suggests a potential for future exploitation if left unpatched.
Organizations deploying XWiki Platform, particularly those with publicly accessible instances, are at risk. Legacy XWiki installations and those with misconfigured access controls are especially vulnerable. Shared hosting environments where multiple users share the same XWiki instance also face increased risk.
• java / server:
ps aux | grep xwiki• java / server:
journalctl -u xwiki | grep -i "webjars"• generic web:
curl -I http://<target>/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfgdisclosure
漏洞利用状态
EPSS
1.99% (83% 百分位)
CISA SSVC
The recommended mitigation for CVE-2025-55747 is to immediately upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. These versions include a fix that prevents the path traversal vulnerability. As there is no known workaround, upgrading is the only viable solution. If upgrading is not immediately feasible, consider implementing strict input validation on all URL parameters to prevent malicious path manipulation. While not a direct fix, this can provide a temporary layer of defense. After upgrading, confirm the fix by attempting to access the vulnerable URL (http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg) and verifying that access is denied.
将 XWiki Platform 更新到 16.10.7 或更高版本。此版本修复了允许通过 webjars API 未授权访问配置文件的漏洞。升级可确保配置文件的保护,并且不能公开访问。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-55747 is a critical path traversal vulnerability in the XWiki Platform Webjars API that allows attackers to read sensitive configuration files by manipulating URLs.
Yes, if you are running XWiki Platform versions prior to 16.10.7 or 17.4.0-rc-1, you are vulnerable to this path traversal vulnerability.
Upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. There is no known workaround other than upgrading.
As of September 3, 2025, there are no reports of active exploitation in the wild, but the vulnerability's ease of exploitation suggests a potential for future exploitation.
You can find the official advisory on the XWiki Jira issue tracker: https://jira.xwiki.org/browse/XWIKI-19350
上传你的 pom.xml 文件,立即知道是否受影响。