CVE-2025-11093 | THREATINT

Description

An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.

PUBLISHED Reserved 2025-09-27 | Published 2025-11-05 | Updated 2025-11-05 | Assigner WSO2

HIGH: 8.4CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status

unaffected

Any version before 4.0.0

unknown

4.0.0 (custom) before 4.0.0.145

affected

4.1.0 (custom) before 4.1.0.147

affected

4.2.0 (custom) before 4.2.0.141

affected

4.3.0 (custom) before 4.3.0.42

affected

4.4.0 (custom) before 4.4.0.27

affected

Default status

unaffected

Any version before 3.1.0

unknown

3.1.0 (custom) before 3.1.0.345

affected

3.2.0 (custom) before 3.2.0.446

affected

3.2.1 (custom) before 3.2.1.66

affected

4.0.0 (custom) before 4.0.0.366

affected

4.1.0 (custom) before 4.1.0.228

affected

4.2.0 (custom) before 4.2.0.169

affected

4.3.0 (custom) before 4.3.0.81

affected

4.4.0 (custom) before 4.4.0.45

affected

4.5.0 (custom) before 4.5.0.28

affected

Default status

unaffected

Any version before 6.6.0

unknown

6.6.0 (custom) before 6.6.0.224

affected

Default status

unaffected

4.5.0 (custom) before 4.5.0.27

affected

Default status

unaffected

4.5.0 (custom) before 4.5.0.29

affected

Default status

unaffected

4.5.0 (custom) before 4.5.0.27

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 (custom) before 2.0.0.414

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 (custom) before 2.0.0.394

affected

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.365

affected

Default status

unknown

2.1.7.wso2v227 (custom) before 2.1.7.wso2v227_99

affected

2.1.7.wso2v271 (custom) before 2.1.7.wso2v271_88

affected

2.1.7.wso2v143 (custom) before 2.1.7.wso2v143_121

affected

2.1.7.wso2v319 (custom) before 2.1.7.wso2v319_13

affected

2.1.7.wso2v183 (custom) before 2.1.7.wso2v183_72

affected

4.0.0.wso2v119 (custom) before 4.0.0.wso2v119_27

affected

4.0.0.wso2v20 (custom) before 4.0.0.wso2v20_93

affected

4.0.0.wso2v215 (custom) before 4.0.0.wso2v215_26

affected

4.0.0.wso2v218 (custom) before 4.0.0.wso2v218_1

affected

4.0.0.wso2v105 (custom) before 4.0.0.wso2v105_13

affected

4.0.0.wso2v131 (custom) before 4.0.0.wso2v131_5

affected

4.0.0-wso2v254 (custom)

unaffected

Default status

unknown

2.1.7.wso2v227 (custom) before 2.1.7.wso2v227_99

affected

2.1.7.wso2v271 (custom) before 2.1.7.wso2v271_88

affected

2.1.7.wso2v143 (custom) before 2.1.7.wso2v143_121

affected

2.1.7.wso2v319 (custom) before 2.1.7.wso2v319_13

affected

2.1.7.wso2v183 (custom) before 2.1.7.wso2v183_72

affected

4.0.0.wso2v119 (custom) before 4.0.0.wso2v119_27

affected

4.0.0.wso2v20 (custom) before 4.0.0.wso2v20_93

affected

4.0.0.wso2v215 (custom) before 4.0.0.wso2v215_26

affected

4.0.0.wso2v218 (custom) before 4.0.0.wso2v218_1

affected

4.0.0.wso2v105 (custom) before 4.0.0.wso2v105_13

affected

4.0.0.wso2v131 (custom) before 4.0.0.wso2v131_5

affected

4.0.0-wso2v254 (custom)

unaffected

Credits

crnković reporter

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-4510/ vendor-advisory

cve.org (CVE-2025-11093)

nvd.nist.gov (CVE-2025-11093)

Download JSON