This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks.
*
On systems running JDK 7 or early JDK 8, full file contents may be exposed.
*
On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior.
*
DoS attacks such as "Billion Laughs" payloads can cause service disruption.
Metrics
Affected Vendors & Products
Solution
Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution
Workaround
No workaround given by the vendor.
Thu, 02 Oct 2025 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:* |
Sat, 12 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|
Mon, 05 May 2025 13:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 05 May 2025 09:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption. | |
Title | Unauthenticated XML External Entity (XXE) Vulnerability in WSO2 API Manager Gateway Component | |
Weaknesses | CWE-611 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: WSO2
Published:
Updated: 2025-05-05T12:45:10.518Z
Reserved: 2025-03-28T08:46:09.062Z
Link: CVE-2025-2905

Updated: 2025-05-05T12:44:38.267Z

Status : Analyzed
Published: 2025-05-05T09:15:15.923
Modified: 2025-10-02T16:27:31.157
Link: CVE-2025-2905

No data.

Updated: 2025-07-14T22:45:34Z