CVE-2025-27419
Published: 03 March 2025
Summary
CVE-2025-27419 is a critical-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Wegia Wegia. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
WeGIA is an open source web manager for institutions, primarily targeting Portuguese-language users. CVE-2025-27419 is a denial-of-service vulnerability (CWE-770) that allows remote attackers to render the server unresponsive through aggressive spidering. The root cause is recursive crawling of dynamically generated URLs combined with a lack of rate limiting or resource controls, enabling any unauthenticated client to exhaust server capacity. The issue affects versions prior to 3.2.16 and carries a CVSS 4.0 score of 9.2 due to its high impact on availability.
Any unauthenticated remote attacker can trigger the flaw simply by directing a web crawler or similar tool at the application. Because the vulnerable code follows dynamically produced links without depth or volume restrictions, even modest request volumes can consume enough resources to make the service unavailable to legitimate users. No authentication, special privileges, or user interaction is required.
The project’s security advisory GHSA-9rp6-4mqp-g4p8 and the associated commit 624ddfadb3fd8f8b30ad4f601b032a9bacc86a39 confirm that the vulnerability is resolved in release 3.2.16. Administrators should upgrade immediately; no work-arounds are documented in the advisory. The EPSS score remains low (peak 0.0117), with no indication of active exploitation in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6013
Vulnerability details
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Denial of Service (DoS) vulnerability exists in WeGIA. This vulnerability allows any unauthenticated user to cause the server to become unresponsive by performing…
more
aggressive spidering. The vulnerability is caused by recursive crawling of dynamically generated URLs and insufficient handling of large volumes of requests. This vulnerability is fixed in 3.2.16.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DoS vulnerability enables resource exhaustion via aggressive spidering/requests, directly facilitating T1499.003 Application Exhaustion Flood.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements denial-of-service protections at boundaries to block aggressive spidering and large request volumes that cause server unresponsiveness.
Enforces information input restrictions to prevent denial-of-service from recursive crawling of dynamically generated URLs.
Protects resource availability by restricting allocations that could be exhausted by excessive unauthenticated requests.