CVE-2025-55748 is a critical security vulnerability identified in the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability is classified as a Relative Path Traversal (CWE-23) and affects versions from 4.2-milestone-2 up to, but not including, 16.10.7. The issue arises because configuration files are accessible through the jsx and sx endpoints without proper validation or sanitization of user-supplied input. An attacker can exploit this by crafting a URL that includes relative path sequences (e.g., ../../) to traverse directories and access sensitive configuration files such as xwiki.cfg. For example, a URL like http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false allows unauthorized reading of configuration files. These configuration files may contain sensitive information including credentials, system settings, or other confidential data. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The CVSS 4.0 base score is 9.3 (critical), reflecting the high impact on confidentiality, integrity, and availability, as well as the ease of exploitation. The vulnerability has been fixed in version 16.10.7 of the XWiki Platform. No known exploits are reported in the wild yet, but the critical nature and straightforward exploitation method make it a significant threat to organizations running vulnerable versions of XWiki.

For European organizations using the XWiki Platform within the affected version range, this vulnerability poses a severe risk. Unauthorized access to configuration files can lead to exposure of sensitive information such as database credentials, API keys, or internal system configurations. This can facilitate further attacks including privilege escalation, data breaches, or disruption of services. Given that XWiki is often used for internal documentation and collaboration, compromise could also lead to leakage of intellectual property or sensitive corporate information. The lack of authentication requirement and remote exploitability means attackers can target exposed XWiki instances over the internet, increasing the risk of widespread exploitation. Additionally, organizations in regulated sectors such as finance, healthcare, or government may face compliance violations and reputational damage if sensitive data is exposed. The vulnerability could also be leveraged to undermine the integrity and availability of the platform, potentially disrupting business operations.

European organizations should immediately assess their XWiki Platform deployments to identify affected versions (>=4.2-milestone-2 and <16.10.7). The primary mitigation is to upgrade to version 16.10.7 or later, where the vulnerability is patched. If immediate upgrade is not feasible, organizations should implement network-level controls to restrict access to the jsx and sx endpoints, such as firewall rules or web application firewall (WAF) policies that block suspicious URL patterns containing relative path traversal sequences (e.g., ../). Additionally, disabling or restricting access to the vulnerable endpoints for non-administrative users can reduce exposure. Regularly auditing web server logs for suspicious requests targeting resource parameters with traversal patterns can help detect attempted exploitation. Organizations should also review and harden file system permissions to limit the impact of any unauthorized file access. Finally, monitoring for any unusual activity or indicators of compromise related to XWiki instances is recommended to enable rapid incident response.