Cyber Resilience

CVE-2025-55747

Critical

Published: 03 September 2025

Published
03 September 2025
Modified
10 September 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0129 80.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55747 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

XWiki Platform versions 6.1-milestone-2 through 16.10.6 contain a path traversal flaw (CWE-23) that exposes configuration files via the webjars API. The affected component is the generic wiki runtime that serves applications built on the platform, and the issue was resolved in release 16.10.7.

An unauthenticated attacker can reach the webjars endpoint over the network and retrieve sensitive configuration data, resulting in full compromise of confidentiality, integrity, and availability as reflected in the CVSS 9.3 rating.

The GitHub security advisory GHSA-qww7-89xh-x7m7 and the linked commit 9e7b4c03f2143978d891109a17159f73d4cdd318 document the fix that restricts access to configuration resources through the webjars path; operators are advised to upgrade to 16.10.7 or later.

The EPSS score rose from a low baseline to a recorded peak of 0.0453, indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Direct path traversal in public-facing web API enables remote file access on the system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24893Same product: Xwiki Xwiki
CVE-2025-29924Same product: Xwiki Xwiki
CVE-2025-29926Same product: Xwiki Xwiki
CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-32429Same product: Xwiki Xwiki
CVE-2025-53836Same product: Xwiki Xwiki
CVE-2026-33229Same product: Xwiki Xwiki
CVE-2025-53835Same product: Xwiki Xwiki
CVE-2025-23025Same product: Xwiki Xwiki
CVE-2025-51991Same product: Xwiki Xwiki

Affected Assets

xwiki
xwiki
6.1 · 6.2 — 16.10.7 · 17.0.0 — 17.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the path traversal flaw in the XWiki webjars API, enabling patching to version 16.10.7 to block unauthorized configuration file access.

prevent

Enforces approved authorizations to prevent unauthenticated remote attackers from accessing sensitive configuration files through the vulnerable webjars API.

prevent

Validates information inputs to the webjars API to detect and reject relative path traversal attempts (CWE-23) targeting configuration files.

References