N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-55747

GHSA ID

GHSA-qww7-89xh-x7m7

EPSS Score

CWE

CWE-23

Published

9/3/2025

Updated

9/3/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-55747

CVE-2025-55747: XWiki configuration files can be accessed through the webjars API

Impact

It's possible to get access and read configuration files by using URLs such as http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg. The trick here is to encode the / which is decoded when parsing the URL segment, but not re-encoded when assembling the file path.

Patches

This has been patched in 17.4.0-rc-1, 16.10.7.

Workarounds

There is no known workaround, other than upgrading XWiki.

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-55747

GHSA ID

GHSA-qww7-89xh-x7m7

EPSS Score

CWE

CWE-23

Published

9/3/2025

Updated

9/3/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-webjars-api	maven	>= 6.1-milestone-2, < 16.10.7	16.10.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic path traversal issue (CWE-23) where user-controlled input from the URL is used to construct file paths for resource loading. The core of the problem lies in the application's failure to properly sanitize and validate the resource paths before accessing them. The provided patch addresses this by introducing a centralized utility, ClassLoaderUtils, which is now used across different parts of the application to safely load resources. The analysis of the commit 9e7b4c03f2143978d891109a17159f73d4cdd318 clearly shows the replacement of direct, unsafe calls to getResourceAsStream and flawed manual path validation with calls to this new, safer utility. The vulnerable functions were identified by locating where these unsafe calls were made. Specifically, WebJarsResourceReferenceHandler.getResourceStream, InternalTemplateManager.getClassloaderTemplate, and SxResourceSource.getContent were all found to be constructing resource paths with user-controllable data without adequate sanitization, making them the primary entry points for this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It's possi*l* to **t ****ss *n* r*** *on*i*ur*tion *il*s *y usin* URLs su** *s `*ttp://lo**l*ost:****/xwiki/w**j*rs/wiki%**xwiki/..%**..%**..%**..%**..%**W**-IN*%**xwiki.***`. T** tri*k **r* is to *n*o** t** / w*i** is ***o*** w**n p*rsin

Reasoning

T** vuln*r**ility is * *l*ssi* p*t* tr*v*rs*l issu* (*W*-**) w**r* us*r-*ontroll** input *rom t** URL is us** to *onstru*t *il* p*t*s *or r*sour** lo**in*. T** *or* o* t** pro*l*m li*s in t** *ppli**tion's **ilur* to prop*rly s*nitiz* *n* v*li**t* t*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-55747: XWiki configuration files can be accessed through the webjars API

Impact

Patches

Workarounds

For more information

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI