It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`.

This can apparently be reproduced on Tomcat instances.

### Patches

This has been patched in 17.4.0-rc-1, 16.10.7.

### Workarounds

There is no known workaround, other than upgrading XWiki.

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

### Attribution

The vulnerability was reported by Gregor Neumann.

Affected Packages

Maven org.xwiki.platform:xwiki-platform-skin-skinx

Affected versions: 4.2-milestone-2 (fixed in 16.10.7)

Related CVEs

CVE-2025-55748

Key Information

GHSA ID

GHSA-m63c-3rmg-r2cf

Published

September 3, 2025 5:45 PM

Last Modified

September 10, 2025 9:14 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-skin-skinx

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 23, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.