Cyber Resilience

CVE-2025-55748

Critical

Published: 03 September 2025

Published
03 September 2025
Modified
10 September 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 59.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55748 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 40.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

XWiki Platform, a generic wiki platform, is affected by a path traversal vulnerability (CWE-23) in versions 4.2-milestone-2 through 16.10.6. The issue allows configuration files to be accessed and read through the jsx and sx endpoints, for example via URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false.

Unauthenticated remote attackers can exploit the flaw without user interaction to retrieve sensitive configuration data, which carries a CVSS 4.0 score of 9.3 reflecting high impact on confidentiality, integrity, and availability.

The vulnerability is fixed in version 16.10.7, as noted in the project's GitHub security advisory, the linked commit that adds resource validation, and the corresponding XWIKI-23109 Jira entry.

EPSS for the CVE rose from a low baseline to a peak of 0.0175 on 2025-12-11 before receding to the current value of 0.0037, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by…

more

using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
4.2 · 4.3 — 16.10.7 · 17.0.0 — 17.3.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References