CVE-2025-2905 (GCVE-0-2025-2905)
Vulnerability from cvelistv5
Published
2025-05-05 09:02
Modified
2025-05-05 12:45
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Summary
An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption.
References
ed10eef1-636d-4fbe-9993-6890dfa878f8https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/
Impacted products
Vendor Product Version
WSO2 WSO2 API Manager Version: 0   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2905",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-05T12:44:33.257401Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-05T12:45:10.518Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WSO2 API Manager",
          "vendor": "WSO2",
          "versions": [
            {
              "lessThanOrEqual": "2.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "crnkovic"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.\u003c/p\u003e\n\u003cp\u003eThis vulnerability can be exploited by an unauthenticated remote attacker to read files from the server\u2019s filesystem or perform denial-of-service (DoS) attacks.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eOn systems running \u003cstrong\u003eJDK 7 or early JDK 8\u003c/strong\u003e, full file contents may be exposed.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eOn \u003cstrong\u003elater versions of JDK 8 and newer\u003c/strong\u003e, only the \u003cstrong\u003efirst line\u003c/strong\u003e of a file may be read, due to improvements in XML parser behavior.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDoS attacks such as \"Billion Laughs\" payloads can cause service disruption.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.\n\n\nThis vulnerability can be exploited by an unauthenticated remote attacker to read files from the server\u2019s filesystem or perform denial-of-service (DoS) attacks.\n\n\n\n  *  \nOn systems running JDK 7 or early JDK 8, full file contents may be exposed.\n\n\n\n\n  *  \nOn later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior.\n\n\n\n\n  *  \nDoS attacks such as \"Billion Laughs\" payloads can cause service disruption."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-05T09:02:01.489Z",
        "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "shortName": "WSO2"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Follow the instructions given on\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3...\u003c/a\u003e\u003cbr\u003e"
            }
          ],
          "value": "Follow the instructions given on\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution"
        }
      ],
      "source": {
        "advisory": "WSO2-2025-3993",
        "discovery": "EXTERNAL"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "Unauthenticated XML External Entity (XXE) Vulnerability in WSO2 API Manager Gateway Component",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
    "assignerShortName": "WSO2",
    "cveId": "CVE-2025-2905",
    "datePublished": "2025-05-05T09:02:01.489Z",
    "dateReserved": "2025-03-28T08:46:09.062Z",
    "dateUpdated": "2025-05-05T12:45:10.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-2905\",\"sourceIdentifier\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"published\":\"2025-05-05T09:15:15.923\",\"lastModified\":\"2025-05-05T20:54:19.760\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[{\"sourceIdentifier\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"tags\":[\"unsupported-when-assigned\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.\\n\\n\\nThis vulnerability can be exploited by an unauthenticated remote attacker to read files from the server\u2019s filesystem or perform denial-of-service (DoS) attacks.\\n\\n\\n\\n  *  \\nOn systems running JDK 7 or early JDK 8, full file contents may be exposed.\\n\\n\\n\\n\\n  *  \\nOn later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior.\\n\\n\\n\\n\\n  *  \\nDoS attacks such as \\\"Billion Laughs\\\" payloads can cause service disruption.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de Entidad Externa XML (XXE) en el componente de puerta de enlace de WSO2 API Manager debido a una validaci\u00f3n insuficiente de la entrada XML en rutas URL manipulada. El XML proporcionado por el usuario se analiza sin las restricciones adecuadas, lo que permite la resoluci\u00f3n de entidades externas. Esta vulnerabilidad puede ser explotada por un atacante remoto no autenticado para leer archivos del sistema de archivos del servidor o realizar ataques de denegaci\u00f3n de servicio (DoS). * En sistemas con JDK 7 o versiones anteriores de JDK 8, el contenido completo de los archivos puede quedar expuesto. * En versiones posteriores de JDK 8 y posteriores, solo se puede leer la primera l\u00ednea de un archivo, gracias a mejoras en el comportamiento del analizador XML. * Los ataques DoS, como los payloads \\\"Billion Laughs\\\", pueden causar interrupciones del servicio.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"references\":[{\"url\":\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/\",\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"product\": \"WSO2 API Manager\", \"vendor\": \"WSO2\", \"versions\": [{\"lessThanOrEqual\": \"2.0.0\", \"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\"}]}], \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"crnkovic\"}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\u003cp\u003eAn XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.\u003c/p\u003e\\n\u003cp\u003eThis vulnerability can be exploited by an unauthenticated remote attacker to read files from the server\\u2019s filesystem or perform denial-of-service (DoS) attacks.\u003c/p\u003e\\n\u003cul\u003e\\n\u003cli\u003e\\n\u003cp\u003eOn systems running \u003cstrong\u003eJDK 7 or early JDK 8\u003c/strong\u003e, full file contents may be exposed.\u003c/p\u003e\\n\u003c/li\u003e\\n\u003cli\u003e\\n\u003cp\u003eOn \u003cstrong\u003elater versions of JDK 8 and newer\u003c/strong\u003e, only the \u003cstrong\u003efirst line\u003c/strong\u003e of a file may be read, due to improvements in XML parser behavior.\u003c/p\u003e\\n\u003c/li\u003e\\n\u003cli\u003e\\n\u003cp\u003eDoS attacks such as \\\"Billion Laughs\\\" payloads can cause service disruption.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\"}], \"value\": \"An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.\\n\\n\\nThis vulnerability can be exploited by an unauthenticated remote attacker to read files from the server\\u2019s filesystem or perform denial-of-service (DoS) attacks.\\n\\n\\n\\n  *  \\nOn systems running JDK 7 or early JDK 8, full file contents may be exposed.\\n\\n\\n\\n\\n  *  \\nOn later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior.\\n\\n\\n\\n\\n  *  \\nDoS attacks such as \\\"Billion Laughs\\\" payloads can cause service disruption.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-611\", \"description\": \"CWE-611 Improper Restriction of XML External Entity Reference\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"ed10eef1-636d-4fbe-9993-6890dfa878f8\", \"shortName\": \"WSO2\", \"dateUpdated\": \"2025-05-05T09:02:01.489Z\"}, \"references\": [{\"tags\": [\"vendor-advisory\"], \"url\": \"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/\"}], \"solutions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"Follow the instructions given on\u0026nbsp;\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution\\\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3...\u003c/a\u003e\u003cbr\u003e\"}], \"value\": \"Follow the instructions given on\\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution\"}], \"source\": {\"advisory\": \"WSO2-2025-3993\", \"discovery\": \"EXTERNAL\"}, \"tags\": [\"unsupported-when-assigned\"], \"title\": \"Unauthenticated XML External Entity (XXE) Vulnerability in WSO2 API Manager Gateway Component\", \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-2905\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-05T12:44:33.257401Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-05T12:44:38.267Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-2905\", \"assignerOrgId\": \"ed10eef1-636d-4fbe-9993-6890dfa878f8\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"WSO2\", \"dateReserved\": \"2025-03-28T08:46:09.062Z\", \"datePublished\": \"2025-05-05T09:02:01.489Z\", \"dateUpdated\": \"2025-05-05T12:45:10.518Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.