CVE-2025-55747: XWiki configuration files can be accessed through the webjars API

September 3, 2025 (updated September 10, 2025)

It’s possible to get access and read configuration files by using URLs such as http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg. The trick here is to encode the / which is decoded when parsing the URL segment, but not re-encoded when assembling the file path.

References

github.com/advisories/GHSA-qww7-89xh-x7m7
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318
github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7
jira.xwiki.org/browse/XWIKI-19350
nvd.nist.gov/vuln/detail/CVE-2025-55747

Code Behaviors & Features

Detect and mitigate CVE-2025-55747 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →