CVE-2025-2905

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-05-05 09:15

Updated : 2025-10-16 12:15

NVD link : CVE-2025-2905

Mitre link : CVE-2025-2905

CVE.ORG link : CVE-2025-2905

JSON object : View

Products Affected

wso2

api_manager

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2025-2905", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2025-05-05T09:15:15.923", "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/", "tags": ["Vendor Advisory"], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.\n\nA successful XXE attack could allow a remote, unauthenticated attacker to:\n * Read sensitive files from the server\u2019s filesystem.\n * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable."}, {"lang": "es", "value": "Existe una vulnerabilidad de Entidad Externa XML (XXE) en el componente de puerta de enlace de WSO2 API Manager debido a una validaci\u00f3n insuficiente de la entrada XML en rutas URL manipulada. El XML proporcionado por el usuario se analiza sin las restricciones adecuadas, lo que permite la resoluci\u00f3n de entidades externas. Esta vulnerabilidad puede ser explotada por un atacante remoto no autenticado para leer archivos del sistema de archivos del servidor o realizar ataques de denegaci\u00f3n de servicio (DoS). * En sistemas con JDK 7 o versiones anteriores de JDK 8, el contenido completo de los archivos puede quedar expuesto. * En versiones posteriores de JDK 8 y posteriores, solo se puede leer la primera l\u00ednea de un archivo, gracias a mejoras en el comportamiento del analizador XML. * Los ataques DoS, como los payloads \"Billion Laughs\", pueden causar interrupciones del servicio."}], "lastModified": "2025-10-16T12:15:47.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D867B74E-5FA8-46AF-86D2-FFD478CD5ACC", "versionEndIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}