CVE-2024-21651 HIGH

CVE-2024-21651: XWiki Denial of Service attack through attachments

Vendor Xwiki
Product xwiki-platform
Weakness CWE-400
Published January 8, 2024
Last update June 3, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.

Key dates

02Disclosure timeline

January 8, 2024 CVE published
June 3, 2025 Record updated