CVE-2025-55749 Overview
CVE-2025-55749 is a high-severity information disclosure vulnerability affecting the XWiki open-source wiki software platform. In instances using the XWiki Jetty package (XJetty), a misconfiguration in the Jetty base directory handling exposes a context that allows unauthenticated attackers to statically access any file located in the webapp/ folder via URL. This vulnerability can lead to unauthorized access to sensitive files, including configuration files that may contain credentials.
Critical Impact
Unauthenticated remote attackers can access sensitive files in the webapp folder, potentially exposing credentials and other confidential information. With a CVSS score of 8.7 (HIGH) and an EPSS probability of 1.62%, this vulnerability poses significant risk to exposed XWiki instances.
Affected Products
- XWiki Platform versions 16.7.0 to 16.10.10 (fixed in 16.10.11)
- XWiki Platform versions 17.0.0 to 17.4.3 (fixed in 17.4.4)
- XWiki Platform versions 17.5.0 to 17.6.x (fixed in 17.7.0)
Discovery Timeline
- December 1, 2025 - CVE-2025-55749 published to NVD
- December 2, 2025 - Last updated in NVD database
Technical Details for CVE-2025-55749
Vulnerability Analysis
The vulnerability exists in the XWiki Jetty package startup script (start_xwiki.sh) due to improper handling of the Jetty base directory path. When using a relative directory path for JETTY_BASE, Jetty does not correctly resolve the application context, inadvertently exposing static file access to the entire webapp/ directory structure. This allows remote attackers to craft URLs that directly access files within the web application folder without authentication.
The vulnerability is classified under CWE-284 (Improper Access Control), indicating a failure to properly restrict access to sensitive resources. The CVSS 4.0 vector (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) confirms this is a network-exploitable vulnerability requiring no privileges, no user interaction, and with high confidentiality impact.
Root Cause
The root cause lies in the start_xwiki.sh script where the JETTY_BASE variable was set to a relative path (.) instead of an absolute path. Jetty's context handling does not work correctly with relative directories, causing it to expose an unintended static file context that maps to the application's root directory structure.
Attack Vector
An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the XWiki server. By targeting the exposed static context, attackers can access files within the webapp/ folder, including configuration files such as hibernate.cfg.xml or xwiki.cfg that may contain database credentials, LDAP passwords, or other sensitive information.
The following patches address the vulnerability by ensuring the Jetty base directory is properly resolved to an absolute path:
Patch 1 - Initial Fix:
mkdir -p $XWIKI_DATA_DIR/logs 2>/dev/null
# Set up the Jetty Base directory (used for custom Jetty configuration) to be the current directory where this file is.
+# Jetty does not work well with a relative directory, so we resolve the absolute one
+JETTY_BASE=`pwd`
# Also make sure the log directory exists since Jetty won't create it.
-JETTY_BASE=.
mkdir -p $JETTY_BASE/logs 2>/dev/null
-# Specify Jetty's home directory to be the directory named jetty inside the jetty base directory.
-JETTY_HOME=jetty
+# Specify Jetty's home directory to be the directory named "jetty" inside the Jetty base directory.
+JETTY_HOME="$JETTY_BASE/jetty"
XWIKI_OPTS="$XWIKI_OPTS -Djetty.home=$JETTY_HOME -Djetty.base=$JETTY_BASE"
# Specify the encoding to use
Source: https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd
Patch 2 - Refined Fix:
mkdir -p $XWIKI_DATA_DIR/logs 2>/dev/null
# Set up the Jetty Base directory (used for custom Jetty configuration) to be the current directory where this file is.
-# Jetty does not work well with a relative directory, so we resolve the absolute one
-JETTY_BASE=`pwd`
+# Jetty does not work well with a relative directory, so we use the absolute one
+JETTY_BASE=$PRGDIR
# Also make sure the log directory exists since Jetty won't create it.
mkdir -p $JETTY_BASE/logs 2>/dev/null
Source: https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10
Detection Methods for CVE-2025-55749
Indicators of Compromise
- Unusual HTTP requests attempting to access files in /webapp/ or /WEB-INF/ directories
- Access log entries showing requests for configuration files like hibernate.cfg.xml, xwiki.cfg, or xwiki.properties
- Multiple requests probing for sensitive file paths from single IP addresses
- HTTP 200 responses for static file requests that should normally return 403 or 404
Detection Strategies
Web Application Firewall (WAF) Rules:
Configure WAF rules to detect and block requests attempting to access sensitive configuration files or directory traversal patterns targeting the webapp/ folder structure.
Log Analysis:
Monitor web server access logs for suspicious patterns indicating file enumeration or direct access attempts to configuration directories. Look for requests containing path segments like /WEB-INF/, /classes/, or specific configuration file names.
SentinelOne Singularity Platform:
SentinelOne's behavioral AI engine can detect anomalous file access patterns and potential data exfiltration attempts. The platform's network visibility features can identify reconnaissance activities targeting web applications.
Monitoring Recommendations
Implement continuous monitoring for:
- Unexpected file read operations in the XWiki application directory
- Network traffic patterns suggesting credential harvesting or configuration file access
- Authentication failures that may indicate credentials obtained through this vulnerability are being tested
- Changes to configuration files that could indicate post-exploitation activity
How to Mitigate CVE-2025-55749
Immediate Actions Required
- Update XWiki to a patched version immediately: 16.10.11, 17.4.4, or 17.7.0 or later
- Review web server access logs for evidence of exploitation attempts
- Rotate any credentials stored in configuration files within the webapp/ directory
- Implement network-level access controls to restrict access to XWiki administrative interfaces
Patch Information
XWiki has released security patches addressing this vulnerability in the following versions:
| Branch | Fixed Version | Commit Reference |
|---|---|---|
| 16.10.x | 16.10.11 | 42fb063749dd88cc78196f72d7318b7179285ebd |
| 17.4.x | 17.4.4 | 99a04a0e2143583f5154a43e02174155da7e8e10 |
| 17.7.x | 17.7.0 | Included in release |
For detailed information, refer to:
- Security Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9
- Issue Tracker: https://jira.xwiki.org/browse/XWIKI-23438
Workarounds
If immediate patching is not possible, consider the following temporary mitigations:
# Manually update start_xwiki.sh to use absolute paths
# Replace the JETTY_BASE assignment with:
JETTY_BASE=$(cd "$(dirname "$0")" && pwd)
# Ensure JETTY_HOME also uses an absolute reference:
JETTY_HOME="$JETTY_BASE/jetty"
# Additionally, configure your reverse proxy to block direct access to sensitive paths
# Example for nginx:
# location ~* /(WEB-INF|classes|META-INF)/ {
# deny all;
# return 404;
# }
Additionally, place XWiki behind a reverse proxy and configure access controls to prevent direct access to static file paths. Consider implementing network segmentation to limit exposure of the XWiki instance to trusted networks only.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
