CVE-2025-2905

Summary

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.

A successful XXE attack could allow a remote, unauthenticated attacker to:

  • Read sensitive files from the server’s filesystem.
  • Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 2.0.0affected
WSO2WSO2 API Manager2.1.0affected
WSO2WSO2 API Manager2.2.0affected
WSO2WSO2 API Manager2.5.0affected
WSO2WSO2 API Manager2.6.0affected
WSO2WSO2 API Manager3.0.0affected
WSO2WSO2 API Manager3.1.0affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.311affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.152affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.122affected
WSO2WSO2 Enterprise Integrator0 < 6.0.0unknown
WSO2WSO2 Enterprise Integrator6.0.0affected
WSO2WSO2 Enterprise Integrator6.1.0affected
WSO2WSO2 Enterprise Integrator6.1.1affected
WSO2WSO2 Enterprise Integrator6.2.0affected
WSO2WSO2 Enterprise Integrator6.3.0affected
WSO2WSO2 Enterprise Integrator6.4.0affected
WSO2WSO2 Enterprise Integrator6.5.0affected
WSO2WSO2 Enterprise Integrator6.6.0affected
WSO2WSO2 Enterprise Service Bus0 < 4.9.0unknown
WSO2WSO2 Enterprise Service Bus4.9.0affected
WSO2WSO2 Enterprise Service Bus5.0.0affected
WSO2WSO2 Micro integrator0 < 1.0.0unknown
WSO2WSO2 Micro integrator1.0.0affected
WSO2WSO2 Micro integrator1.1.0affected
WSO2WSO2 Micro integrator1.2.0 < 1.2.0.162affected
WSO2WSO2 Micro integrator4.0.0 < 4.0.0.132affected
WSO2WSO2 Micro integrator4.1.0 < 4.1.0.115affected
WSO2WSO2 Micro integrator4.2.0 < 4.2.0.112affected
WSO2WSO2 Open Banking AM0 < 1.5.0unknown
WSO2WSO2 Open Banking AM1.5.0affected

Weaknesses

  • CWE-611: CWE-611 Improper Restriction of XML External Entity Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References