CVE-2025-66473
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | 17.6.0 |
| xwiki | xwiki | 17.5.0-rc-1 |
| xwiki | xwiki | 16.10.10 |
| xwiki | xwiki | 17.4.3 |
| xwiki | xwiki | 17.0.0-rc-1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of XWiki where the REST API does not limit the number of items that can be requested in a single call. For example, the /rest/wikis/xwiki/spaces endpoint returns all spaces (essentially all pages) by default without restrictions. This lack of limits can cause performance issues such as slowness or unavailability of the wiki, depending on the number of pages and memory configuration.
How can this vulnerability impact me? :
The vulnerability can lead to significant slowness or even unavailability of the XWiki platform when large requests are made to the REST API without limits. This can disrupt access to the wiki, affecting productivity and availability of information.
What immediate steps should I take to mitigate this vulnerability?
Upgrade XWiki to version 17.4.4 or 16.10.11 or later, as these versions contain the fix for this vulnerability.