CVE-2025-55748
Published: 03 September 2025
Summary
CVE-2025-55748 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 40.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki Platform, a generic wiki platform, is affected by a path traversal vulnerability (CWE-23) in versions 4.2-milestone-2 through 16.10.6. The issue allows configuration files to be accessed and read through the jsx and sx endpoints, for example via URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false.
Unauthenticated remote attackers can exploit the flaw without user interaction to retrieve sensitive configuration data, which carries a CVSS 4.0 score of 9.3 reflecting high impact on confidentiality, integrity, and availability.
The vulnerability is fixed in version 16.10.7, as noted in the project's GitHub security advisory, the linked commit that adds resource validation, and the corresponding XWIKI-23109 Jira entry.
EPSS for the CVE rose from a low baseline to a peak of 0.0175 on 2025-12-11 before receding to the current value of 0.0037, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26643
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by…
more
using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.