CVE-2025-2905

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-2905
Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/ Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
History

16 Oct 2025, 12:15

Type Values Removed Values Added
Summary (en) An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption. (en) Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

02 Oct 2025, 16:27

Type Values Removed Values Added
First Time Wso2
Wso2 api Manager
CPE cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
References () https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/ - () https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/ - Vendor Advisory

05 May 2025, 20:54

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-05 09:15

Updated : 2025-10-16 12:15

NVD link : CVE-2025-2905

Mitre link : CVE-2025-2905

CVE.ORG link : CVE-2025-2905

JSON object : View

Products Affected

wso2

  • api_manager
CWE
CWE-611

Improper Restriction of XML External Entity Reference