A successful XXE attack could allow a remote, unauthenticated attacker to:
* Read sensitive files from the server’s filesystem.
* Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.
Metrics
Affected Vendors & Products
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-13367 | WSO2 API Manager XML External Entity (XXE) vulnerability |
Github GHSA |
GHSA-h94w-8qhg-3xmc | WSO2 API Manager XML External Entity (XXE) vulnerability |
Solution
Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution
Workaround
No workaround given by the vendor.
Thu, 16 Oct 2025 11:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption. | Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable. |
| Title | Unauthenticated XML External Entity (XXE) Vulnerability in WSO2 API Manager Gateway Component | An XML External Entity (XXE) vulnerability in Multiple WSO2 Products |
Thu, 02 Oct 2025 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:* |
Sat, 12 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
epss
|
epss
|
Mon, 05 May 2025 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 05 May 2025 09:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption. | |
| Title | Unauthenticated XML External Entity (XXE) Vulnerability in WSO2 API Manager Gateway Component | |
| Weaknesses | CWE-611 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: WSO2
Published:
Updated: 2025-10-16T11:39:21.741Z
Reserved: 2025-03-28T08:46:09.062Z
Link: CVE-2025-2905
Updated: 2025-05-05T12:44:38.267Z
Status : Modified
Published: 2025-05-05T09:15:15.923
Modified: 2025-10-16T12:15:47.167
Link: CVE-2025-2905
No data.
OpenCVE Enrichment
Updated: 2025-07-14T22:45:34Z
EUVD
Github GHSA