Advisory Database
  • Advisories
  • Dependency Scanning
  1. maven
  2. ›
  3. org.xwiki.platform/xwiki-platform-webjars-api
  4. ›
  5. CVE-2025-55747

CVE-2025-55747: XWiki configuration files can be accessed through the webjars API

September 3, 2025 (updated September 10, 2025)

It’s possible to get access and read configuration files by using URLs such as http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg. The trick here is to encode the / which is decoded when parsing the URL segment, but not re-encoded when assembling the file path.

References

  • github.com/advisories/GHSA-qww7-89xh-x7m7
  • github.com/xwiki/xwiki-platform
  • github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318
  • github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7
  • jira.xwiki.org/browse/XWIKI-19350
  • nvd.nist.gov/vuln/detail/CVE-2025-55747

Code Behaviors & Features

Detect and mitigate CVE-2025-55747 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 6.1-milestone-2 before 16.10.7

Fixed versions

  • 16.10.7

Solution

Upgrade to version 16.10.7 or above.

Impact 9.1 CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-23: Relative Path Traversal

Source file

maven/org.xwiki.platform/xwiki-platform-webjars-api/CVE-2025-55747.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 25 Sep 2025 12:21:06 +0000.