CVE-2025-10713

Summary

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.

A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Enterprise Integrator0 < 6.6.0unknown
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.223affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.27affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.25affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.25affected
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.344affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.445affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.65affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.365affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.227affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.167affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.79affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.43affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.26affected
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.373affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.417affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.29affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.413affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.393affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.363affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.30 < 4.7.30.46affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.61 < 4.7.61.61affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.99 < 4.7.99.303affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.131 < 4.7.131.21affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.175 < 4.7.175.29affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.188 < 4.7.188.11affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.204 < 4.7.204.12affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.221 < 4.7.221.6affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.245 < 4.7.245.6affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.localentry4.7.259 <= *unaffected

Weaknesses

  • CWE-611: CWE-611 Improper Restriction of XML External Entity Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References