CVE-2025-55748: XWiki configuration files can be accessed through jsx and sx endpoints

September 3, 2025 (updated November 10, 2025)

It’s possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false.

This can apparently be reproduced on Tomcat instances.

References

github.com/advisories/GHSA-m63c-3rmg-r2cf
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318
github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf
jira.xwiki.org/browse/XWIKI-23109
nvd.nist.gov/vuln/detail/CVE-2025-55748

Code Behaviors & Features

Detect and mitigate CVE-2025-55748 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →