CVE-2025-55749
BaseFortify
Publication date: 2025-12-01
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | From 17.0.0 (inc) to 17.4.4 (exc) |
| xwiki | xwiki | From 16.7.0 (inc) to 16.10.11 (exc) |
| xwiki | xwiki | From 17.5.0 (inc) to 17.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in XWiki (versions 16.7.0 to 16.10.11, 17.4.4, or 17.7.0) using the XWiki Jetty package (XJetty) allows an attacker to statically access any file located in the webapp/ folder. This means files that might contain sensitive information such as credentials can be accessed without authorization.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive files, including those containing credentials. This can result in information disclosure, potential compromise of the system, and unauthorized access to protected resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade your XWiki instance to version 16.10.11, 17.4.4, or 17.7.0 or later, as these versions contain the fix that prevents unauthorized static access to files in the webapp/ folder.