N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-55748

GHSA ID

GHSA-m63c-3rmg-r2cf

EPSS Score

CWE

CWE-23

Published

9/3/2025

Updated

9/3/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-55748

CVE-2025-55748: XWiki configuration files can be accessed through jsx and sx endpoints

Impact

It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false.

This can apparently be reproduced on Tomcat instances.

Patches

This has been patched in 17.4.0-rc-1, 16.10.7.

Workarounds

There is no known workaround, other than upgrading XWiki.

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

The vulnerability was reported by Gregor Neumann.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-55748

GHSA ID

GHSA-m63c-3rmg-r2cf

EPSS Score

CWE

CWE-23

Published

9/3/2025

Updated

9/3/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-skin-skinx	maven	>= 4.2-milestone-2, < 16.10.7	16.10.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in multiple locations within the XWiki platform where user-provided resource paths are used to access files from the classpath without proper sanitization. This allows for path traversal attacks, enabling an attacker to read sensitive configuration files like xwiki.cfg.

The analysis of the patch 9e7b4c03f2143978d891109a17159f73d4cdd318 reveals a clear pattern: multiple methods that were previously using ClassLoader.getResource() or ClassLoader.getResourceAsStream() with unsanitized input have been updated to use a new utility, ClassLoaderUtils. This utility centralizes path validation and prevents traversal outside of the intended directories.

The key vulnerable functions identified are:

com.xpn.xwiki.internal.template.InternalTemplateManager.getClassloaderTemplate: This function had a manual and flawed path traversal check that could be bypassed.
com.xpn.xwiki.web.sx.SxResourceSource.getContent: This function handled requests to the /sx/ endpoint and directly used a user-controlled resource name to fetch files.
org.xwiki.webjars.internal.WebJarsResourceReferenceHandler.getResourceStream: This function handled requests for webjar resources and was vulnerable in how it constructed the resource path from user input.

By exploiting these functions through crafted URLs, an attacker could gain access to sensitive system information, as demonstrated by the added test cases which attempt to read WEB-INF/xwiki.cfg.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It's possi*l* to **t ****ss *n* r*** *on*i*ur*tion *il*s *y usin* URLs su** *s `*ttp://lo**l*ost:****/*in/ssx/M*in/W***om*?r*sour**=../../W**-IN*/xwiki.***&mini*y=**ls*`. T*is **n *pp*r*ntly ** r*pro*u*** on Tom**t inst*n**s. ### P*t***

Reasoning

T** vuln*r**ility li*s in multipl* lo**tions wit*in t** XWiki pl*t*orm w**r* us*r-provi*** r*sour** p*t*s *r* us** to ****ss *il*s *rom t** *l*ssp*t* wit*out prop*r s*nitiz*tion. T*is *llows *or p*t* tr*v*rs*l *tt**ks, *n**lin* *n *tt**k*r to r*** s*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-55748: XWiki configuration files can be accessed through jsx and sx endpoints

Impact

Patches

Workarounds

For more information

Attribution

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI