CVE-2025-55747 is a critical security vulnerability classified as CWE-23, a Relative Path Traversal flaw, affecting the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. This vulnerability exists in versions from 6.1-milestone-2 up to, but not including, 16.10.7. The core issue is that configuration files within the platform are accessible via the webjars API due to improper validation of file paths. This allows an unauthenticated attacker to exploit the relative path traversal flaw to access sensitive configuration files that should not be exposed publicly. The vulnerability has a CVSS 4.0 base score of 9.3, indicating critical severity. The vector indicates that the attack can be performed remotely over the network without any authentication or user interaction, with low attack complexity. The impact on confidentiality, integrity, and availability is high, as attackers can read sensitive configuration files that may contain credentials, system settings, or other critical information, potentially leading to further compromise of the system or lateral movement within the network. The issue was resolved in version 16.10.7 of XWiki Platform by properly restricting access to configuration files through the webjars API. No known exploits are currently reported in the wild, but the ease of exploitation and critical impact make this vulnerability a high priority for patching.

For European organizations using XWiki Platform versions between 6.1-milestone-2 and 16.10.6, this vulnerability poses a significant risk. Exposure of configuration files can lead to leakage of sensitive information such as database credentials, API keys, or internal configuration details, which can be leveraged by attackers to escalate privileges, execute further attacks, or disrupt services. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks and potential legal consequences if such data is compromised. Additionally, the vulnerability's remote and unauthenticated nature means that attackers can exploit it without insider access, increasing the threat surface. Given the criticality, exploitation could lead to data breaches, service interruptions, and reputational damage. The lack of known exploits in the wild currently provides a window for proactive mitigation before widespread attacks occur.

European organizations should immediately verify their use of the XWiki Platform and identify affected versions. The primary mitigation is to upgrade all instances of XWiki Platform to version 16.10.7 or later, where the vulnerability is fixed. If immediate upgrading is not feasible, organizations should implement strict network-level access controls to restrict access to the webjars API endpoints, ideally limiting them to trusted internal networks only. Web application firewalls (WAFs) can be configured to detect and block path traversal attempts targeting the webjars API. Additionally, auditing and monitoring access logs for unusual requests to configuration files can help detect exploitation attempts. Organizations should also review and rotate any credentials or sensitive information stored in configuration files as a precautionary measure. Finally, ensure that all security patches and updates are applied promptly and maintain an inventory of software versions to facilitate rapid response to vulnerabilities.