CVE-2025-55747
📋 TL;DR
XWiki Platform versions 6.1-milestone-2 through 16.10.6 expose configuration files via the webjars API, allowing attackers to access sensitive system information. This affects all XWiki installations running vulnerable versions. The vulnerability enables information disclosure that could facilitate further attacks.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain configuration files containing database credentials, API keys, or other secrets, leading to complete system compromise through credential reuse or direct database access.
Likely Case
Unauthenticated attackers access sensitive configuration data, potentially exposing authentication mechanisms, system paths, or other operational details that could aid in targeted attacks.
If Mitigated
With proper network segmentation and access controls, exposure is limited to internal networks, reducing the attack surface to trusted users only.
🎯 Exploit Status
Exploitation requires simple HTTP requests to the webjars API endpoint. No authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.10.7
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7
Restart Required: Yes
Instructions:
1. Backup your XWiki installation and database. 2. Download XWiki Platform version 16.10.7 or later. 3. Replace the existing installation with the patched version. 4. Restart the XWiki service or application server.
🔧 Temporary Workarounds
Block webjars API access
allConfigure web server or application firewall to block access to /webjars/* paths
# For Apache: RewriteRule ^/webjars/.*$ - [F,L]
# For Nginx: location ~ ^/webjars/ { deny all; }
🧯 If You Can't Patch
- Implement strict network access controls to limit XWiki access to trusted users only
- Monitor and alert on any access attempts to /webjars/* paths in web server logs
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[xwiki-host]/webjars/ and check if configuration files are accessible. Look for responses containing sensitive data.Check Version:
Check the XWiki administration panel or view the xwiki.properties file for version informationVerify Fix Applied:
After patching, verify that accessing /webjars/ endpoints returns appropriate error messages or empty responses instead of configuration files.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /webjars/* paths
- Unusual file access patterns to configuration files
Network Indicators:
- HTTP GET requests to /webjars/* endpoints from untrusted sources
SIEM Query:
source="web_server_logs" AND (uri_path="/webjars/*" AND response_code=200)