CVE-2025-11093

Summary

An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.

By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Micro Integrator0 < 4.0.0unknown
WSO2WSO2 Micro Integrator4.0.0 < 4.0.0.145affected
WSO2WSO2 Micro Integrator4.1.0 < 4.1.0.147affected
WSO2WSO2 Micro Integrator4.2.0 < 4.2.0.141affected
WSO2WSO2 Micro Integrator4.3.0 < 4.3.0.42affected
WSO2WSO2 Micro Integrator4.4.0 < 4.4.0.27affected
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.345affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.446affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.66affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.366affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.228affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.169affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.81affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.45affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.28affected
WSO2WSO2 Enterprise Integrator0 < 6.6.0unknown
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.224affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.27affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.29affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.27affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.414affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.394affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.365affected
WSO2org.apache.synapse:synapse-core2.1.7.wso2v227 < 2.1.7.wso2v227_99affected
WSO2org.apache.synapse:synapse-core2.1.7.wso2v271 < 2.1.7.wso2v271_88affected
WSO2org.apache.synapse:synapse-core2.1.7.wso2v143 < 2.1.7.wso2v143_121affected
WSO2org.apache.synapse:synapse-core2.1.7.wso2v319 < 2.1.7.wso2v319_13affected
WSO2org.apache.synapse:synapse-core2.1.7.wso2v183 < 2.1.7.wso2v183_72affected
WSO2org.apache.synapse:synapse-core4.0.0.wso2v119 < 4.0.0.wso2v119_27affected
WSO2org.apache.synapse:synapse-core4.0.0.wso2v20 < 4.0.0.wso2v20_93affected
WSO2org.apache.synapse:synapse-core4.0.0.wso2v215 < 4.0.0.wso2v215_26affected
WSO2org.apache.synapse:synapse-core4.0.0.wso2v218 < 4.0.0.wso2v218_1affected
WSO2org.apache.synapse:synapse-core4.0.0.wso2v105 < 4.0.0.wso2v105_13affected
WSO2org.apache.synapse:synapse-core4.0.0.wso2v131 < 4.0.0.wso2v131_5affected
WSO2org.apache.synapse:synapse-core4.0.0-wso2v254 <= *unaffected
WSO2org.apache.synapse:synapse-extensions2.1.7.wso2v227 < 2.1.7.wso2v227_99affected
WSO2org.apache.synapse:synapse-extensions2.1.7.wso2v271 < 2.1.7.wso2v271_88affected
WSO2org.apache.synapse:synapse-extensions2.1.7.wso2v143 < 2.1.7.wso2v143_121affected
WSO2org.apache.synapse:synapse-extensions2.1.7.wso2v319 < 2.1.7.wso2v319_13affected
WSO2org.apache.synapse:synapse-extensions2.1.7.wso2v183 < 2.1.7.wso2v183_72affected
WSO2org.apache.synapse:synapse-extensions4.0.0.wso2v119 < 4.0.0.wso2v119_27affected
WSO2org.apache.synapse:synapse-extensions4.0.0.wso2v20 < 4.0.0.wso2v20_93affected
WSO2org.apache.synapse:synapse-extensions4.0.0.wso2v215 < 4.0.0.wso2v215_26affected
WSO2org.apache.synapse:synapse-extensions4.0.0.wso2v218 < 4.0.0.wso2v218_1affected
WSO2org.apache.synapse:synapse-extensions4.0.0.wso2v105 < 4.0.0.wso2v105_13affected
WSO2org.apache.synapse:synapse-extensions4.0.0.wso2v131 < 4.0.0.wso2v131_5affected
WSO2org.apache.synapse:synapse-extensions4.0.0-wso2v254 <= *unaffected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References