WSO2 XML External Entity (XXE) In Parser Vulnerability
CVE-2024-2374 Published on April 16, 2026
XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.
By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.
Vulnerability Analysis
CVE-2024-2374 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2024-2374 has been classified to as a XXE vulnerability or weakness.
Products Associated with CVE-2024-2374
Want to know whenever a new CVE is published for Wso2 products? stack.watch will email you.
Affected Versions
WSO2 API Manager:- Before 3.1.0 is unknown.
- Version 3.1.0 and below 3.1.0.278 is affected.
- Version 3.2.0 and below 3.2.0.368 is affected.
- Version 4.0.0 and below 4.0.0.280 is affected.
- Version 4.1.0 and below 4.1.0.206 is affected.
- Version 4.2.0 and below 4.2.0.144 is affected.
- Version 4.3.0 and below 4.3.0.57 is affected.
- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.300 is affected.
- Version 5.11.0 and below 5.11.0.329 is affected.
- Version 6.0.0 and below 6.0.0.179 is affected.
- Version 6.1.0 and below 6.1.0.136 is affected.
- Before 2.0.0 is unknown.
- Version 2.0.0 and below 2.0.0.328 is affected.
- Before 2.0.0 is unknown.
- Version 2.0.0 and below 2.0.0.348 is affected.
- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.296 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.