XWiki REST API Unrestricted Item Request Limit Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in XWiki's REST API, specifically in versions 16.10.10 and prior, 17.0.0-rc-1 through 17.4.3, and 17.5.0-rc-1 through 17.6.0. The vulnerability arises because the API does not enforce limits on the number of items that can be requested in a single call. This lack of restriction can lead to performance degradation and unavailability of the wiki, particularly in large wikis with many pages. For instance, the '/rest/wikis/xwiki/spaces' resource, which returns all spaces (essentially all pages) by default, can cause the wiki to become slow or unavailable. This issue has been addressed in versions 17.4.4 and 16.10.11.

Impact

Exploitation of this vulnerability can cause the wiki to become unresponsive and unavailable, with the server potentially running out of memory and crashing.

Reproduction

To reproduce this vulnerability, send repeated requests to the '/rest/wikis/xwiki/spaces' endpoint on a wiki with a large number of pages. This can be done using a script or a tool that automates the process of sending requests, such as a command-line tool or a browser extension. Monitor the server's memory usage and availability; the wiki is likely to become unresponsive and crash after the requests are processed.

Remediation

Users can update to XWiki versions 17.4.4, 17.7.0-rc-1, or 16.10.11, all of which include the necessary patch. Instructions for updating XWiki can be found in the release notes for these versions.