CVE-2025-66473 Overview
CVE-2025-66473 is a Resource Exhaustion vulnerability affecting XWiki, an open-source wiki software platform. The vulnerability exists in the REST API which fails to enforce any limits for the number of items that can be requested in a single request. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and complete unavailability of the wiki service.
As a concrete example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which essentially corresponds to all pages. An attacker can exploit this lack of pagination limits to exhaust server resources and cause a denial of service condition.
Critical Impact
Unauthenticated attackers can cause denial of service by sending crafted REST API requests that exhaust server memory and CPU resources, leading to wiki unavailability.
Affected Products
- XWiki versions 16.10.10 and below
- XWiki versions 17.0.0-rc-1 through 17.4.3
- XWiki versions 17.5.0-rc-1 through 17.6.0
Discovery Timeline
- 2025-12-10 - CVE-2025-66473 published to NVD
- 2025-12-19 - Last updated in NVD database
Technical Details for CVE-2025-66473
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The XWiki REST API endpoints accept user-controlled parameters for retrieving wiki content but fail to implement proper input validation or resource limits on the number of items returned in API responses.
The attack can be executed remotely over the network without requiring any authentication or user interaction. The vulnerability specifically impacts availability while confidentiality and integrity remain unaffected. When exploited, the server attempts to load and serialize an unbounded number of wiki pages into the response, consuming excessive memory and processing time.
Root Cause
The root cause is improper handling of the limit parameter in REST API requests. Prior to the patch, the application would accept any user-supplied limit value without validation against a maximum threshold. The vulnerable code directly converted the request parameter to a number and used it as the query limit, allowing attackers to request an unlimited number of items.
Attack Vector
The vulnerability is exploitable via network-accessible REST API endpoints. An unauthenticated attacker can send HTTP requests to endpoints such as /rest/wikis/xwiki/spaces without specifying a reasonable limit, causing the server to attempt to return all wiki spaces (pages) in a single response. This can exhaust available memory and CPU resources, particularly on wikis with a large number of pages.
The attack is straightforward and requires low complexity—no special conditions or authentication are needed. Multiple concurrent requests can amplify the impact, potentially causing complete service unavailability.
// Before patch - vulnerable code (attachmentsjson.vm)
#set ($limit = $numbertool.toNumber($request.limit).intValue())
#if (!$limit)
#set ($limit = 15)
#end
// After patch - fixed code with validation
#getAndValidateQueryLimitFromRequest('limit', 15, $limit)
Source: GitHub Commit Update
// Before patch - vulnerable DocumentTreeMacros.xml
#set ($limit = $mathtool.max($numbertool.toNumber($request.limit).intValue(), 1))
#if ("$!limit" == '')
#set ($limit = 15)
#end
// After patch - added limit validation
#set ($limit = $mathtool.max($numbertool.toNumber($request.limit).intValue(), 1))
#if ("$!limit" == '')
#set ($limit = 15)
#else
#validateQueryLimit($limit)
#end
Source: GitHub Commit Update
Detection Methods for CVE-2025-66473
Indicators of Compromise
- Unusual spikes in memory consumption on XWiki server instances
- Abnormally slow response times or timeouts for REST API endpoints
- High volume of requests to /rest/wikis/xwiki/spaces or similar endpoints with missing or extremely high limit parameters
- Server out-of-memory errors or crashes coinciding with REST API activity
Detection Strategies
- Monitor web application firewall (WAF) logs for REST API requests without limit parameters or with unusually large values
- Implement rate limiting on REST API endpoints to detect and block excessive request patterns
- Configure application performance monitoring (APM) to alert on abnormal resource consumption patterns
- Review access logs for repeated requests to space enumeration endpoints from single IP addresses
Monitoring Recommendations
- Set up alerts for memory utilization thresholds on XWiki application servers
- Monitor REST API response times and flag requests exceeding normal duration
- Track concurrent connections to REST API endpoints and alert on unusual spikes
- Implement log aggregation to correlate denial of service patterns across multiple server instances
How to Mitigate CVE-2025-66473
Immediate Actions Required
- Upgrade XWiki to version 17.4.4 or 16.10.11 immediately
- If immediate patching is not possible, implement WAF rules to enforce maximum limits on REST API requests
- Review and restrict network access to REST API endpoints where possible
- Monitor server resources closely for signs of exploitation until patching is complete
Patch Information
XWiki has addressed this vulnerability in versions 17.4.4 and 16.10.11. The fix introduces the #getAndValidateQueryLimitFromRequest and #validateQueryLimit macros to enforce proper limits on query parameters. Organizations should prioritize upgrading to these patched versions.
For detailed patch information, refer to:
Workarounds
- Deploy a reverse proxy or WAF rule to enforce maximum limit parameter values on REST API requests
- Restrict access to REST API endpoints to authenticated users only if business requirements permit
- Implement request rate limiting at the network or application level to mitigate abuse
- Consider temporarily disabling non-essential REST API endpoints until patching is complete
# Example nginx rate limiting configuration for XWiki REST API
# Add to nginx server block
# Define rate limiting zone
limit_req_zone $binary_remote_addr zone=xwiki_rest:10m rate=10r/s;
# Apply to REST API location
location /rest/ {
limit_req zone=xwiki_rest burst=20 nodelay;
# Enforce maximum limit parameter
if ($arg_limit ~ "^[0-9]+$") {
set $limit_check $arg_limit;
}
if ($limit_check > 100) {
return 400;
}
proxy_pass http://xwiki_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
