CVE-2025-55747: 
Java vulnerability analysis and mitigation

CVE-2025-55747 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered in versions 6.1-milestone-2 through 16.10.6, where configuration files were accessible through the webjars API. The issue was disclosed on September 3, 2025, and has been fixed in version 16.10.7 (GitHub Advisory).

The vulnerability is classified as a Relative Path Traversal (CWE-23) with a CVSS v4.0 base score of 9.3 (Critical). The attack vector is network-based, requires low complexity, and needs no privileges or user interaction. The vulnerability allows attackers to access configuration files by using specially crafted URLs with encoded path traversal sequences. For example, accessing URLs like 'http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg'. The exploit works by encoding the forward slash character, which is decoded during URL segment parsing but not re-encoded when assembling the file path (GitHub Advisory, XWiki Jira).

The vulnerability allows unauthorized access to read configuration files in the system. This could lead to exposure of sensitive information stored in configuration files, potentially compromising system security. The attack can be executed remotely without requiring any authentication (GitHub Advisory).

The vulnerability has been patched in XWiki versions 17.4.0-rc-1 and 16.10.7. There are no known workarounds other than upgrading to a patched version of XWiki (GitHub Advisory).