CVE-2025-27419
Published: 03 March 2025
Summary
CVE-2025-27419 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Wegia Wegia. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 24.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections at boundaries to block aggressive spidering and large request volumes that cause server unresponsiveness.
Enforces information input restrictions to prevent denial-of-service from recursive crawling of dynamically generated URLs.
Protects resource availability by restricting allocations that could be exhausted by excessive unauthenticated requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DoS vulnerability enables resource exhaustion via aggressive spidering/requests, directly facilitating T1499.003 Application Exhaustion Flood.
NVD Description
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Denial of Service (DoS) vulnerability exists in WeGIA. This vulnerability allows any unauthenticated user to cause the server to become unresponsive by performing…
more
aggressive spidering. The vulnerability is caused by recursive crawling of dynamically generated URLs and insufficient handling of large volumes of requests. This vulnerability is fixed in 3.2.16.
Deeper analysisAI
CVE-2025-27419 is a Denial of Service (DoS) vulnerability affecting WeGIA, an open-source Web Manager for Institutions primarily designed for Portuguese language users. The flaw arises from recursive crawling of dynamically generated URLs coupled with insufficient handling of large volumes of requests, enabling the server to become unresponsive under aggressive spidering. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-770.
Any unauthenticated user with network access can exploit this vulnerability by conducting aggressive spidering, which triggers excessive resource consumption and renders the WeGIA server unresponsive. Exploitation requires no privileges, user interaction, or special conditions beyond low-complexity network operations, resulting in high-impact availability disruption without affecting confidentiality or integrity.
The vulnerability is fixed in WeGIA version 3.2.16. Mitigation details are available in the GitHub security advisory at GHSA-9rp6-4mqp-g4p8 and the patching commit at 624ddfadb3fd8f8b30ad4f601b032a9bacc86a39, which security practitioners should review for implementation guidance.
Details
- CWE(s)