CVE-2025-66473 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the XWiki open-source wiki platform. The issue exists in the REST API endpoints of affected versions (below 16.10.11, and certain 17.x release candidates before 17.4.4 and 17.7.0-rc-1), where no limits are enforced on the number of items returned in a single API request. For example, the /rest/wikis/xwiki/spaces endpoint returns all spaces (essentially all pages) by default without pagination or throttling. An attacker can exploit this by sending requests that demand large amounts of data, causing excessive memory and CPU consumption on the server. This resource exhaustion can degrade performance severely or cause the wiki service to become unavailable, effectively a denial-of-service (DoS) attack. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score of 8.7 reflects the network attack vector, low complexity, no privileges or user interaction required, and high impact on availability. The vulnerability was publicly disclosed on December 10, 2025, and fixed in versions 16.10.11, 17.4.4, and later. No public exploits have been reported yet, but the nature of the flaw makes it a likely target for DoS attacks in unpatched environments.

For European organizations, this vulnerability poses a significant risk to the availability of XWiki-based collaboration platforms, which are commonly used in enterprises, government agencies, and educational institutions. Successful exploitation can disrupt internal knowledge sharing, project documentation, and operational workflows, potentially causing productivity losses and impacting business continuity. Public sector entities relying on XWiki for documentation or intranet services may face service outages, affecting citizen services or interdepartmental communications. The lack of authentication requirement means attackers can launch attacks from external networks, increasing exposure. Additionally, organizations with limited monitoring or rate limiting on their APIs are more vulnerable to sustained or repeated exploitation attempts. The impact is particularly critical for organizations with large wiki deployments, as the volume of data requested directly correlates with resource consumption and service degradation.

The primary mitigation is to upgrade affected XWiki instances to versions 16.10.11, 17.4.4, or later, where the issue is fixed by enforcing limits on API responses. Organizations should implement API rate limiting and throttling at the web server or API gateway level to prevent excessive requests from overwhelming the system. Monitoring API usage patterns and setting alerts for unusually large or frequent requests can help detect exploitation attempts early. Network-level protections such as web application firewalls (WAFs) can be configured to block or challenge suspicious API calls. Additionally, organizations should review and restrict public access to the REST API endpoints where possible, applying authentication and authorization controls to limit exposure. Regular vulnerability scanning and patch management processes should be enforced to ensure timely updates. Finally, capacity planning and resource allocation should consider potential abuse scenarios to maintain service availability under stress.