CVE-2025-10907

Summary

An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.

Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.345affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.448affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.66affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.367affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.230affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.169affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.81affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.45affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.28affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.414affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.394affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.29affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.27affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.27affected
WSO2WSO2 Micro Integrator0 < 4.0.0unknown
WSO2WSO2 Micro Integrator4.0.0 < 4.0.0.145affected
WSO2WSO2 Micro Integrator4.1.0 < 4.1.0.147affected
WSO2WSO2 Micro Integrator4.2.0 < 4.2.0.141affected
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.375affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.419affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.248affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.248affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.124affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.31affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.365affected
WSO2WSO2 Enterprise Integrator0 < 6.6.0unknown
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.224affected
WSO2org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt0.14.13 < 0.14.13.8affected
WSO2org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt0.14.16 < 0.14.16.1affected
WSO2org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core2.2.14 < 2.2.14.7affected
WSO2org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core2.2.17 < 2.2.17.2affected
WSO2org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core2.3.1 < 2.3.1.3affected
WSO2org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core2.3.19 <= *unaffected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.30 < 4.7.30.47affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.61 < 4.7.61.62affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.99 < 4.7.99.304affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.131 < 4.7.131.22affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.175 < 4.7.175.30affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.188 < 4.7.188.12affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.204 < 4.7.204.13affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.221 < 4.7.221.7affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.245 < 4.7.245.7affected
WSO2org.wso2.carbon.mediation:org.wso2.carbon.mediation.library4.7.262 <= *unaffected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.9.15 < 4.9.15.2affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.10.1 < 4.10.1.1affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.10.9 < 4.10.9.2affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.11.1 < 4.11.1.3affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.11.3 < 4.11.3.3affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.11.7 < 4.11.7.5affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.11.14 < 4.11.14.2affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.11.17 < 4.11.17.3affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.11.18 < 4.11.18.1affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.module.mgt4.11.24 <= *unaffected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt4.10.1 < 4.10.1.1affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt4.10.9 < 4.10.9.2affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt4.11.1 < 4.11.1.3affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt4.11.3 < 4.11.3.3affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt4.11.7 < 4.11.7.5affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt4.11.14 < 4.11.14.2affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt4.11.17 < 4.11.17.3affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt4.11.18 < 4.11.18.1affected
WSO2org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt4.11.24 <= *unaffected
WSO2org.apache.ws.commons.axiom.wso2:axiom1.2.11 < 1.2.11.wso2v17_5affected
WSO2org.apache.ws.commons.axiom.wso2:axiom1.2.11-wso2v21 <= *unaffected
WSO2org.wso2.carbon:org.wso2.carbon.base4.5.3 < 4.5.3.46affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.0 < 4.6.0.2005affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.1 < 4.6.1.153affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.2 < 4.6.2.668affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.3 < 4.6.3.37affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.4 < 4.6.4.15affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.7.1 < 4.7.1.72affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.8.1 < 4.8.1.40affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9.0 < 4.9.0.103affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9.26 < 4.9.26.26affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9.27 < 4.9.27.11affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9.28 < 4.9.28.12affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.10.9 < 4.10.9.71affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.10.42 < 4.10.42.14affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9.30 <= 4.9.*unaffected
WSO2org.wso2.carbon:org.wso2.carbon.base4.10.95 <= *unaffected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.5.3 < 4.5.3.46affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.6.0 < 4.6.0.2005affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.6.1 < 4.6.1.153affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.6.2 < 4.6.2.668affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.6.3 < 4.6.3.37affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.6.4 < 4.6.4.15affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.7.1 < 4.7.1.72affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.8.1 < 4.8.1.40affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.9.0 < 4.9.0.103affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.9.26 < 4.9.26.26affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.9.27 < 4.9.27.11affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.9.28 < 4.9.28.12affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.10.9 < 4.10.9.71affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.10.42 < 4.10.42.14affected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.9.30 <= 4.9.*unaffected
WSO2org.wso2.carbon:org.wso2.carbon.utils4.10.95 <= *unaffected

Weaknesses

  • CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References