CVE-2025-55747
Published: 03 September 2025
Summary
CVE-2025-55747 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the path traversal flaw in the XWiki webjars API, enabling patching to version 16.10.7 to block unauthorized configuration file access.
Enforces approved authorizations to prevent unauthenticated remote attackers from accessing sensitive configuration files through the vulnerable webjars API.
Validates information inputs to the webjars API to detect and reject relative path traversal attempts (CWE-23) targeting configuration files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct path traversal in public-facing web API enables remote file access on the system.
NVD Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
Deeper analysisAI
CVE-2025-55747 affects the XWiki Platform, a generic wiki platform that provides runtime services for applications built on top of it. The vulnerability involves configuration files being accessible through the webjars API in versions from 6.1-milestone-2 through 16.10.6. Classified under CWE-23 (Relative Path Traversal), it has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the webjars API, the attacker gains unauthorized access to configuration files, potentially exposing sensitive information (high confidentiality impact) and enabling modifications that could compromise system integrity (high integrity impact), while availability remains unaffected.
The issue is addressed in XWiki Platform version 16.10.7. Official mitigation guidance is available in the GitHub security advisory (GHSA-qww7-89xh-x7m7), the related Jira ticket (XWIKI-19350), and the fixing commit (9e7b4c03f2143978d891109a17159f73d4cdd318), which practitioners should review for patch details and upgrade instructions.
Details
- CWE(s)