CVE-2025-2905

An XML External Entity (XXE) vulnerability in Multiple WSO2 Products

CVSS 9.1 CRITICALEPSS 1.1%CWE-611

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Produtos afetados

WSO2 · WSO2 API Manager WSO2 · WSO2 Enterprise Integrator WSO2 · WSO2 Enterprise Service Bus WSO2 · WSO2 Micro integrator WSO2 · WSO2 Open Banking AM

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/