CVE-2025-66473 HIGH

CVE-2025-66473: XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis

Vendor Xwiki
Product xwiki-platform
Weakness CWE-770 · Uncontrolled resource consumption
Published December 10, 2025
Last update December 11, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11.

Key dates

02Disclosure timeline

December 10, 2025 CVE published
December 11, 2025 Record updated