Cyber Resilience

CVE-2025-27419

CriticalPublic PoCDDoS

Published: 03 March 2025

Published
03 March 2025
Modified
07 March 2025
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0089 76.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27419 is a critical-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Wegia Wegia. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

WeGIA is an open source web manager for institutions, primarily targeting Portuguese-language users. CVE-2025-27419 is a denial-of-service vulnerability (CWE-770) that allows remote attackers to render the server unresponsive through aggressive spidering. The root cause is recursive crawling of dynamically generated URLs combined with a lack of rate limiting or resource controls, enabling any unauthenticated client to exhaust server capacity. The issue affects versions prior to 3.2.16 and carries a CVSS 4.0 score of 9.2 due to its high impact on availability.

Any unauthenticated remote attacker can trigger the flaw simply by directing a web crawler or similar tool at the application. Because the vulnerable code follows dynamically produced links without depth or volume restrictions, even modest request volumes can consume enough resources to make the service unavailable to legitimate users. No authentication, special privileges, or user interaction is required.

The project’s security advisory GHSA-9rp6-4mqp-g4p8 and the associated commit 624ddfadb3fd8f8b30ad4f601b032a9bacc86a39 confirm that the vulnerability is resolved in release 3.2.16. Administrators should upgrade immediately; no work-arounds are documented in the advisory. The EPSS score remains low (peak 0.0117), with no indication of active exploitation in the wild.

EU & UK References

Vulnerability details

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Denial of Service (DoS) vulnerability exists in WeGIA. This vulnerability allows any unauthenticated user to cause the server to become unresponsive by performing…

more

aggressive spidering. The vulnerability is caused by recursive crawling of dynamically generated URLs and insufficient handling of large volumes of requests. This vulnerability is fixed in 3.2.16.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

DoS vulnerability enables resource exhaustion via aggressive spidering/requests, directly facilitating T1499.003 Application Exhaustion Flood.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24905Same product: Wegia Wegia
CVE-2024-57030Same product: Wegia Wegia
CVE-2025-26605Same product: Wegia Wegia
CVE-2025-27140Same product: Wegia Wegia
CVE-2026-33136Same product: Wegia Wegia
CVE-2026-23723Same product: Wegia Wegia
CVE-2025-26611Same product: Wegia Wegia
CVE-2025-23220Same product: Wegia Wegia
CVE-2025-30365Same product: Wegia Wegia
CVE-2025-26615Same product: Wegia Wegia

Affected Assets

wegia
wegia
≤ 3.2.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections at boundaries to block aggressive spidering and large request volumes that cause server unresponsiveness.

prevent

Enforces information input restrictions to prevent denial-of-service from recursive crawling of dynamically generated URLs.

prevent

Protects resource availability by restricting allocations that could be exhausted by excessive unauthenticated requests.

References