Description
XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b
Patch, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-23355
Scores
CVSS v3
7.5
EPSS
0.0009
EPSS Percentile
24.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
org.xwiki.platform/xwiki-platform-rest-server
0 - 16.10.11Maven
xwiki/xwiki
< 16.10.11
Published
Dec 10, 2025
Tracked Since
Feb 18, 2026