It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg`. The trick here is to encode the / which is decoded when parsing the URL segment, but not re-encoded when assembling the file path.

### Patches

This has been patched in 17.4.0-rc-1, 16.10.7.

### Workarounds

There is no known workaround, other than upgrading XWiki.

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-webjars-api

Affected versions: 6.1-milestone-2 (fixed in 16.10.7)

Related CVEs

CVE-2025-55747

Key Information

GHSA ID

GHSA-qww7-89xh-x7m7

Published

September 3, 2025 5:42 PM

Last Modified

September 10, 2025 9:13 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-webjars-api

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 23, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.