CVE-2025-66473

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-66473
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66473.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66473
Aliases
Published
2025-12-10T21:51:55.836Z
Modified
2026-03-14T12:46:20.785942Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis
Details

XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66473.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
917882dec98bf180d91c04274e97aafbcfbdbb85
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "16.10.11"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
445c0831fb8cf5610eda0eb58225890cb2bece6c
Fixed
b2aaf43ce9d0ed5ac7e3882b870fb730cf0d84e4
Database specific 
{
    "versions": [
        {
            "introduced": "17.0.0-rc-1"
        },
        {
            "fixed": "17.4.4"
        }
    ]
}

Affected versions

xwiki-application-calendar-1.*
xwiki-application-calendar-1.0
xwiki-platform-16.*
xwiki-platform-16.10.0
xwiki-platform-16.10.0-rc-1
xwiki-platform-16.10.1
xwiki-platform-16.10.10
xwiki-platform-16.10.2
xwiki-platform-16.10.3
xwiki-platform-16.10.4
xwiki-platform-16.10.5
xwiki-platform-16.10.6
xwiki-platform-16.10.7
xwiki-platform-16.10.8
xwiki-platform-16.10.9
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2
xwiki-plugin-tag-1.*
xwiki-plugin-tag-1.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66473.json"