CVE-2025-66473
📋 TL;DR
XWiki REST API lacks request size limits, allowing attackers to request all wiki pages in a single call. This can cause excessive memory consumption leading to service slowdown or denial-of-service. Affects XWiki versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3, and 17.5.0-rc-1 through 17.6.0.
💻 Affected Systems
- XWiki
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to memory exhaustion, requiring server restart and potential data loss if memory pressure causes crashes.
Likely Case
Significant performance degradation and temporary unavailability affecting all wiki users until memory is freed.
If Mitigated
Minimal impact with proper rate limiting, memory monitoring, and request filtering in place.
🎯 Exploit Status
Exploitation requires only HTTP requests to REST endpoints like /rest/wikis/xwiki/spaces. No special tools or authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.10.11, 17.4.4, 17.6.1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Download patched version from xwiki.org. 3. Stop XWiki service. 4. Replace with patched version. 5. Restart XWiki service. 6. Verify version with admin interface.
🔧 Temporary Workarounds
Web Application Firewall Rules
allImplement WAF rules to limit request size and rate limit REST API endpoints
# Example nginx limit: limit_req_zone $binary_remote_addr zone=restapi:10m rate=10r/s;
# Add to location block: limit_req zone=restapi burst=20 nodelay;
Reverse Proxy Rate Limiting
allConfigure reverse proxy to restrict large requests to REST endpoints
# Apache mod_ratelimit: SetOutputFilter RATE_LIMIT
# Set env variable: SetEnv rate-limit 100
🧯 If You Can't Patch
- Implement network-level rate limiting for /rest/* endpoints
- Monitor memory usage and set alerts for abnormal spikes from REST API
🔍 How to Verify
Check if Vulnerable:
Check XWiki version in admin interface or via /xwiki/bin/view/Main/About. If version matches affected range and REST API is accessible, system is vulnerable.Check Version:
curl -s http://xwiki-host/xwiki/bin/view/Main/About | grep -i 'xwiki version'Verify Fix Applied:
After patching, verify version shows 16.10.11, 17.4.4, or 17.6.1+. Test REST endpoint with large requests to confirm limits are enforced.📡 Detection & Monitoring
Log Indicators:
- Large memory consumption spikes
- Multiple requests to /rest/* endpoints in short time
- OutOfMemory errors in logs
- Slow response times for REST API
Network Indicators:
- High volume of requests to /rest/wikis/*/spaces
- Large HTTP responses from REST endpoints
- Abnormal traffic patterns to API endpoints
SIEM Query:
source="xwiki.log" AND ("OutOfMemory" OR "rest/wikis" AND response_size>1000000)