Home

Description

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

PUBLISHED Reserved 2025-03-28 | Published 2025-05-05 | Updated 2025-10-16 | Assigner WSO2




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Problem types

CWE-611 Improper Restriction of XML External Entity Reference

Product status

Default status
unaffected

Any version before 2.0.0
affected

2.1.0 (custom)
affected

2.2.0 (custom)
affected

2.5.0 (custom)
affected

2.6.0 (custom)
affected

3.0.0 (custom)
affected

3.1.0 (custom)
affected

4.0.0 (custom) before 4.0.0.311
affected

4.1.0 (custom) before 4.1.0.152
affected

4.2.0 (custom) before 4.2.0.122
affected

Default status
unaffected

Any version before 6.0.0
unknown

6.0.0 (custom)
affected

6.1.0 (custom)
affected

6.1.1 (custom)
affected

6.2.0 (custom)
affected

6.3.0 (custom)
affected

6.4.0 (custom)
affected

6.5.0 (custom)
affected

6.6.0 (custom)
affected

Default status
unaffected

Any version before 4.9.0
unknown

4.9.0 (custom)
affected

5.0.0 (custom)
affected

Default status
unaffected

Any version before 1.0.0
unknown

1.0.0 (custom)
affected

1.1.0 (custom)
affected

1.2.0 (custom) before 1.2.0.162
affected

4.0.0 (custom) before 4.0.0.132
affected

4.1.0 (custom) before 4.1.0.115
affected

4.2.0 (custom) before 4.2.0.112
affected

Default status
unaffected

Any version before 1.5.0
unknown

1.5.0 (custom)
affected

Credits

crnkovic reporter

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-3993/ vendor-advisory

cve.org (CVE-2025-2905)

nvd.nist.gov (CVE-2025-2905)

Download JSON