CVE-2025-66473 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the XWiki open-source wiki platform. The flaw exists in the REST API endpoints, such as /rest/wikis/xwiki/spaces, which by default return all spaces (essentially all pages) without enforcing any limits on the number of items returned per request. This lack of throttling allows an unauthenticated remote attacker to issue requests that demand excessive server memory and processing resources, potentially overwhelming the system. The vulnerability impacts multiple versions: all versions up to 16.10.10, release candidates 17.0.0-rc-1 through 17.4.3, and 17.5.0-rc-1 through 17.6.0. The excessive resource consumption can degrade performance severely or cause the wiki service to become unavailable, effectively resulting in a denial-of-service (DoS) condition. The vulnerability does not require any privileges or user interaction, making exploitation straightforward. The vendor addressed the issue by introducing limits on the number of items returned in API responses starting with versions 16.10.11 and 17.4.4. No known exploits are currently reported in the wild, but the high CVSS score (8.7) reflects the potential impact if exploited. The vulnerability affects confidentiality minimally but has a high impact on availability, with integrity unaffected. The attack vector is network-based with low attack complexity and no required privileges or user interaction.

For European organizations, this vulnerability poses a significant risk to the availability of internal or public-facing wiki services running vulnerable XWiki versions. Organizations relying on XWiki for documentation, knowledge sharing, or collaboration could experience service outages or severe performance degradation if exploited. This could disrupt business operations, delay project workflows, and reduce productivity. Public sector entities, research institutions, and enterprises with critical knowledge management systems are particularly vulnerable. Additionally, denial-of-service conditions could be leveraged as part of multi-vector attacks or to distract security teams. The lack of authentication requirement broadens the threat landscape, allowing external attackers to target these systems easily. Given the widespread use of open-source wiki platforms in Europe, the impact could be substantial if patches are not applied promptly.

European organizations should immediately assess their XWiki deployments to identify affected versions. Upgrading to XWiki versions 16.10.11, 17.4.4, or later releases that include the fix is the most effective mitigation. If immediate upgrading is not feasible, organizations should implement network-level protections such as rate limiting and IP filtering on the REST API endpoints to restrict excessive requests. Deploying Web Application Firewalls (WAFs) with custom rules to detect and block unusually large API requests can reduce exploitation risk. Monitoring API usage patterns and setting alerts for abnormal request volumes will help detect potential attacks early. Additionally, organizations should review and harden API access controls, even though this vulnerability does not require authentication, to reduce the attack surface. Regular vulnerability scanning and patch management processes should be enforced to prevent exploitation of this and similar vulnerabilities.