Critical severityNVD Advisory· Published Sep 3, 2025· Updated Sep 3, 2025

XWiki Platform's configuration files can be accessed through the webjars API

CVE-2025-55747

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-webjars-apiMaven	>= 7.1.4, < 16.10.7	16.10.7
org.xwiki.platform:xwiki-platform-webjars-apiMaven	>= 17.0.0-rc-1, < 17.4.0-rc-1	17.4.0-rc-1
org.xwiki.platform:xwiki-platform-webjarsMaven	>= 6.1-miletone-2, <= 7.1.3	—

Affected products

Xwiki/Xwiki Platformv5
Range: >= 6.1-milestone-2, < 16.10.7

Patches

9e7b4c03f214

XWIKI-23109 XWIKI-19350: Improve resource validation

https://github.com/xwiki/xwiki-platformThomas MortagneApr 23, 2025via ghsa

commit

7 files changed · +135 −14

xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-test/xwiki-platform-flamingo-skin-test-docker/src/test/it/org/xwiki/flamingo/test/docker/WebJarsIT.java

+54 −0 added

@@ -0,0 +1,54 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.flamingo.test.docker;
+
+import java.net.URI;
+
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.commons.lang3.StringUtils;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+import org.xwiki.test.docker.junit5.UITest;
+import org.xwiki.test.ui.TestUtils;
+
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+
+/**
+ * Tests related to the webjars endpoint.
+ *
+ * @version $Id$
+ */
+@UITest
+class WebJarsIT
+{
+    @Test
+    @Order(1)
+    void pathTraversal(TestUtils setup) throws Exception
+    {
+        URI uri = new URI(StringUtils.removeEnd(setup.rest().getBaseURL(), "rest")
+            + "webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg");
+
+        GetMethod response = setup.rest().executeGet(uri);
+
+        assertNotEquals(200, response.getStatusCode());
+
+        response.releaseConnection();
+    }
+}

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/internal/template/InternalTemplateManager.java+6 −9 modified

@@ -59,6 +59,7 @@
 import org.xwiki.cache.CacheException;
 import org.xwiki.cache.CacheManager;
 import org.xwiki.cache.config.LRUCacheConfiguration;
+import org.xwiki.classloader.internal.ClassLoaderUtils;
 import org.xwiki.component.annotation.Component;
 import org.xwiki.component.manager.ComponentLifecycleException;
 import org.xwiki.component.manager.ComponentLookupException;
@@ -1107,19 +1108,15 @@ private Template getClassloaderTemplate(String prefixPath, String templateName)
 
     private Template getClassloaderTemplate(ClassLoader classloader, String prefixPath, String templateName)
     {
-        String templatePath = prefixPath + templateName;
-
-        // Prevent access to resources from other directories
-        Path normalizedResource = Paths.get(templatePath).normalize();
-        // Protect against directory attacks.
-        if (!normalizedResource.startsWith(prefixPath)) {
-            this.logger.warn("Direct access to skin file [{}] refused. Possible break-in attempt!", normalizedResource);
+        URL url;
+        try {
+            url = ClassLoaderUtils.getResource(classloader, prefixPath, templateName);
+        } catch (IllegalArgumentException e) {
+            this.logger.warn("The template name [{}] is trying to execute a path traversal attack!", templateName);
 
             return null;
         }
 
-        URL url = classloader.getResource(templatePath);
-
         return url != null ? new ClassloaderTemplate(new ClassloaderResource(url, templateName)) : null;
     }

xwiki-platform-core/xwiki-platform-resource/xwiki-platform-resource-servlet/src/main/java/org/xwiki/resource/servlet/AbstractServletResourceReferenceHandler.java

+1 −1 modified

@@ -92,7 +92,7 @@ public void handle(ResourceReference resourceReference, ResourceReferenceHandler
                     sendError(HttpStatus.SC_NOT_FOUND, "Resource not found [%s].",
                         getResourceName(typedResourceReference));
                 }
-            } catch (IOException | ResourceReferenceHandlerException e) {
+            } catch (Exception e) {
                 this.logger.error(e.getMessage(), e);
                 sendError(HttpStatus.SC_INTERNAL_SERVER_ERROR, e.getMessage());
             }

xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/web/sx/SxResourceSource.java

+2 −1 modified

@@ -24,6 +24,7 @@
 import java.nio.charset.StandardCharsets;
 
 import org.apache.commons.io.IOUtils;
+import org.xwiki.classloader.internal.ClassLoaderUtils;
 
 /**
  * JAR resource source for Skin Extensions.
@@ -58,7 +59,7 @@ public String getContent()
         try {
             // Load from the current context class loader to allow extensions to contribute skin extensions.
             ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
-            try (InputStream in = contextClassLoader.getResourceAsStream(this.resourceName)) {
+            try (InputStream in = ClassLoaderUtils.getResourceAsStream(contextClassLoader, this.resourceName)) {
                 return IOUtils.toString(in, StandardCharsets.UTF_8);
             }
         } catch (NullPointerException e) {

xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-test/xwiki-platform-skin-test-docker/src/test/it/org/xwiki/skin/test/ui/SXSkinIT.java

+50 −0 added

@@ -0,0 +1,50 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.skin.test.ui;
+
+import java.net.URI;
+
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.junit.jupiter.api.Test;
+import org.xwiki.test.docker.junit5.UITest;
+import org.xwiki.test.ui.TestUtils;
+
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+
+/**
+ * Verify the behavior of resource based skin resources.
+ *
+ * @version $Id$
+ */
+@UITest
+class SXSkinIT
+{
+    @Test
+    void pathTraversal(TestUtils setup) throws Exception
+    {
+        URI uri = new URI(setup.getURL("Main", "WebHome", "sx", "resource=../../WEB-INF/xwiki.cfg"));
+
+        GetMethod response = setup.rest().executeGet(uri);
+
+        assertNotEquals(200, response.getStatusCode());
+
+        response.releaseConnection();
+     }
+}

xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-api/src/main/java/org/xwiki/webjars/internal/WebJarsResourceReferenceHandler.java

+3 −2 modified

@@ -30,6 +30,7 @@
 
 import org.apache.tika.mime.MediaType;
 import org.xwiki.classloader.ClassLoaderManager;
+import org.xwiki.classloader.internal.ClassLoaderUtils;
 import org.xwiki.component.annotation.Component;
 import org.xwiki.resource.ResourceReferenceHandlerException;
 import org.xwiki.resource.ResourceType;
@@ -76,8 +77,8 @@ public List<ResourceType> getSupportedResourceReferences()
     @Override
     protected InputStream getResourceStream(WebJarsResourceReference resourceReference)
     {
-        String resourcePath = String.format("%s%s", WEBJARS_RESOURCE_PREFIX, getResourceName(resourceReference));
-        return getClassLoader(resourceReference.getNamespace()).getResourceAsStream(resourcePath);
+        return ClassLoaderUtils.getResourceAsStream(getClassLoader(resourceReference.getNamespace()),
+            WEBJARS_RESOURCE_PREFIX, getResourceName(resourceReference));
     }
 
     @Override

xwiki-platform-core/xwiki-platform-webjars/xwiki-platform-webjars-test/xwiki-platform-webjars-test-tests/src/test/it/org/xwiki/webjars/test/ui/WebJarsTest.java

+19 −1 modified

@@ -19,6 +19,10 @@
  */
 package org.xwiki.webjars.test.ui;
 
+import java.net.URI;
+
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.commons.lang3.StringUtils;
 import org.junit.Rule;
 import org.junit.Test;
 import org.openqa.selenium.By;
@@ -27,7 +31,8 @@
 import org.xwiki.test.ui.SuperAdminAuthenticationRule;
 import org.xwiki.test.ui.po.ViewPage;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertNotEquals;
 
 /**
  * Functional tests for the WebJars integration.
@@ -73,4 +78,17 @@ public void testWebJars() throws Exception
         // Verify that the served resource is the one from the webjars
         assertTrue(getDriver().getPageSource().contains("// AjaxQ jQuery Plugin"));
     }
+
+    @Test
+    public void pathTraversal() throws Exception
+    {
+        URI uri = new URI(StringUtils.removeEnd(getUtil().rest().getBaseURL(), "rest")
+            + "webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg");
+
+        GetMethod response = getUtil().rest().executeGet(uri);
+
+        assertNotEquals(200, response.getStatusCode());
+
+        response.releaseConnection();
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qww7-89xh-x7m7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-55747ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-19350ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000