CVE-2025-55747
Published: 03 September 2025
Summary
CVE-2025-55747 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
XWiki Platform versions 6.1-milestone-2 through 16.10.6 contain a path traversal flaw (CWE-23) that exposes configuration files via the webjars API. The affected component is the generic wiki runtime that serves applications built on the platform, and the issue was resolved in release 16.10.7.
An unauthenticated attacker can reach the webjars endpoint over the network and retrieve sensitive configuration data, resulting in full compromise of confidentiality, integrity, and availability as reflected in the CVSS 9.3 rating.
The GitHub security advisory GHSA-qww7-89xh-x7m7 and the linked commit 9e7b4c03f2143978d891109a17159f73d4cdd318 document the fix that restricts access to configuration resources through the webjars path; operators are advised to upgrade to 16.10.7 or later.
The EPSS score rose from a low baseline to a recorded peak of 0.0453, indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26642
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct path traversal in public-facing web API enables remote file access on the system.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the path traversal flaw in the XWiki webjars API, enabling patching to version 16.10.7 to block unauthorized configuration file access.
Enforces approved authorizations to prevent unauthenticated remote attackers from accessing sensitive configuration files through the vulnerable webjars API.
Validates information inputs to the webjars API to detect and reject relative path traversal attempts (CWE-23) targeting configuration files.