CVE-2025-55749
published 2025-12-01CVE-2025-55749: XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a…
PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.38%
68.7th percentile
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 16.7.0 < 16.10.11 | 16.10.11 |
| xwiki | xwiki | >= 17.0.0 < 17.4.4 | 17.4.4 |
| xwiki | xwiki | >= 17.5.0 < 17.7.0 | 17.7.0 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send an unauthenticated HTTP GET request to /webapps/xwiki/WEB-INF/xwiki.properties; a vulnerable XJetty instance will return HTTP 200 with body containing both 'diff.xml.dataURI' and 'core.renderingcache.enabled'. ↗
- →Scope detection to hosts fingerprinted as XWiki Platform (e.g. via FOFA query app="XWIKI-Platform"); the vulnerability only affects instances using the XWiki Jetty (XJetty) package. ↗
- →The exposed context allows static traversal of the entire webapp/ folder, so monitor for unauthenticated GET requests targeting paths under /webapps/xwiki/WEB-INF/ from external sources. ↗
- ·Vulnerability is only exploitable on XWiki instances deployed via the XWiki Jetty (XJetty) package; standard servlet-container deployments are not affected. ↗
- ·Affected version range is 16.7.0 through (but not including) 16.10.11, 17.4.4, and 17.7.0; fixed versions are 16.10.11, 17.4.4, and 17.7.0. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki Jetty Package (XJetty) allows accessing any application file through URL
ghsa·2025-12-01
CVE-2025-55749 [HIGH] CWE-284 XWiki Jetty Package (XJetty) allows accessing any application file through URL
XWiki Jetty Package (XJetty) allows accessing any application file through URL
### Impact
In an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder.
It allows accessing files which might contains credentials, like http://myhots/webapps/xwiki/WEB-INF/xwiki.cfg, http://myhots/webapps/xwiki/WEB-INF/xwiki.properties or http://myhots/webapps/xwiki/WEB-INF/hibernate.cfg.xml.
### Patches
This has been patched in 16.10.11, 17.4.4, 17.7.0.
### Workarounds
The workaround is to modify the start_xwiki.sh script following https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10.
### For more information
If you have any questions or co
OSV
XWiki Jetty Package (XJetty) allows accessing any application file through URL
osv·2025-12-01
CVE-2025-55749 [HIGH] XWiki Jetty Package (XJetty) allows accessing any application file through URL
XWiki Jetty Package (XJetty) allows accessing any application file through URL
### Impact
In an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder.
It allows accessing files which might contains credentials, like http://myhots/webapps/xwiki/WEB-INF/xwiki.cfg, http://myhots/webapps/xwiki/WEB-INF/xwiki.properties or http://myhots/webapps/xwiki/WEB-INF/hibernate.cfg.xml.
### Patches
This has been patched in 16.10.11, 17.4.4, 17.7.0.
### Workarounds
The workaround is to modify the start_xwiki.sh script following https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10.
### For more information
If you have any questions or co
VulnCheck
xwiki xwiki Improper Access Control
vulncheck·2025·CVSS 8.7
CVE-2025-55749 [HIGH] xwiki xwiki Improper Access Control
xwiki xwiki Improper Access Control
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
Affected: xwiki xwiki
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-55749
No detection rules found.
Nuclei
XWiki - Information Disclosure
nuclei·CVSS 8.7
CVE-2025-55749 [HIGH] XWiki - Information Disclosure
XWiki - Information Disclosure
XWiki 16.7.0 to 16.10.11, 17.4.4, and 17.7.0 using XJetty contains an information disclosure vulnerability caused by exposed context allowing static access to files in webapp/ folder, letting attackers access sensitive files, exploit requires use of XJetty package.
Template:
id: CVE-2025-55749
info:
name: XWiki - Information Disclosure
author: DhiyaneshDk
severity: high
description: |
XWiki 16.7.0 to 16.10.11, 17.4.4, and 17.7.0 using XJetty contains an information disclosure vulnerability caused by exposed context allowing static access to files in webapp/ folder, letting attackers access sensitive files, exploit requires use of XJetty package.
impact: |
Attackers can access sensitive files including credentials, leading to information disclosure.
remedi
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebdhttps://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9https://jira.xwiki.org/browse/XWIKI-23438
2025-12-01
Published
Exploited in the wild