CVE-2025-55749

Name of the Vulnerable Software and Affected Versions XWiki versions 16.7.0 through 16.10.11 XWiki versions 17.4.0 through 17.4.4 XWiki version 17.7.0

Description XWiki, an open-source wiki software platform, has an issue where the XWiki Jetty package (XJetty) exposes a context allowing static access to any file within the webapp/ folder. This can allow unauthorized access to files potentially containing sensitive information such as credentials. The issue affects instances using the XWiki Jetty package. The vulnerability stems from flaws in the access control mechanism.

Recommendations XWiki versions 16.7.0 through 16.10.11: Upgrade to version 16.10.11 or later. XWiki versions 17.4.0 through 17.4.4: Upgrade to version 17.4.4 or later. XWiki version 17.7.0: Upgrade to a version later than 17.7.0. As a workaround, modify the start xwiki.sh script as described at https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10.