REST API Limitations in XWiki Open-Source Software
CVE-2025-66473

8.7HIGH

Key Information:

Vendor

Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
10 December 2025

What is CVE-2025-66473?

XWiki, an open-source wiki software platform, has a vulnerability in its REST API that fails to enforce limits on the number of items that can be requested in a single API call. This oversight can lead to performance degradation or even unavailability of the wiki, particularly when a large number of pages is requested, such as retrieving all spaces from the /rest/wikis/xwiki/spaces resource. The issue has been resolved in newer versions, specifically 17.4.4 and 16.10.11.

Affected Version(s)

xwiki-platform < 16.10.11 < 16.10.11

xwiki-platform >= 17.0.0-rc-1, < 17.4.4 < 17.0.0-rc-1, 17.4.4

xwiki-platform >= 17.5.0-rc-1, < 17.7.0-rc-1 < 17.5.0-rc-1, 17.7.0-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/e3c4774519...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-23355
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-66473 : REST API Limitations in XWiki Open-Source Software