CVE-2025-8154

Summary

In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses.

By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 4.1.0unknown
WSO2WSO2 API Manager4.1.0 < 4.1.0.218affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.164affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.74affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.38affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.20affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.19affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.19affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.21affected
WSO2WSO2 Carbon API Gateway9.20.74 < 9.20.74.374affected
WSO2WSO2 Carbon API Gateway9.28.116 < 9.28.116.363affected
WSO2WSO2 Carbon API Gateway9.29.120 < 9.29.120.181affected
WSO2WSO2 Carbon API Gateway9.30.67 < 9.30.67.104affected
WSO2WSO2 Carbon API Gateway9.31.86 < 9.31.86.64affected
WSO2WSO2 Carbon API Gateway9.32.2 <= *unaffected
WSO2WSO2 Carbon API Management Implementation9.20.74 < 9.20.74.374affected
WSO2WSO2 Carbon API Management Implementation9.28.116 < 9.28.116.363affected
WSO2WSO2 Carbon API Management Implementation9.29.120 < 9.29.120.181affected
WSO2WSO2 Carbon API Management Implementation9.30.67 < 9.30.67.104affected
WSO2WSO2 Carbon API Management Implementation9.31.86 < 9.31.86.64affected
WSO2WSO2 Carbon API Management Implementation9.32.2 <= *unaffected

Weaknesses

  • CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References