XXE Vulnerability in WSO2 XML Parser
CVE-2025-10713 Published on November 5, 2025
XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
Vulnerability Analysis
CVE-2025-10713 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2025-10713 has been classified to as a XXE vulnerability or weakness.
Products Associated with CVE-2025-10713
Want to know whenever a new CVE is published for Wso2 products? stack.watch will email you.
Affected Versions
WSO2 Enterprise Integrator:- Before 6.6.0 is unknown.
- Version 6.6.0 and below 6.6.0.223 is affected.
- Version 4.5.0 and below 4.5.0.27 is affected.
- Version 4.5.0 and below 4.5.0.25 is affected.
- Version 4.5.0 and below 4.5.0.25 is affected.
- Before 3.1.0 is unknown.
- Version 3.1.0 and below 3.1.0.344 is affected.
- Version 3.2.0 and below 3.2.0.445 is affected.
- Version 3.2.1 and below 3.2.1.65 is affected.
- Version 4.0.0 and below 4.0.0.365 is affected.
- Version 4.1.0 and below 4.1.0.227 is affected.
- Version 4.2.0 and below 4.2.0.167 is affected.
- Version 4.3.0 and below 4.3.0.79 is affected.
- Version 4.4.0 and below 4.4.0.43 is affected.
- Version 4.5.0 and below 4.5.0.26 is affected.
- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.373 is affected.
- Version 5.11.0 and below 5.11.0.417 is affected.
- Version 7.1.0 and below 7.1.0.29 is affected.
- Before 2.0.0 is unknown.
- Version 2.0.0 and below 2.0.0.413 is affected.
- Before 2.0.0 is unknown.
- Version 2.0.0 and below 2.0.0.393 is affected.
- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.363 is affected.
- Version 4.7.30 and below 4.7.30.46 is affected.
- Version 4.7.61 and below 4.7.61.61 is affected.
- Version 4.7.99 and below 4.7.99.303 is affected.
- Version 4.7.131 and below 4.7.131.21 is affected.
- Version 4.7.175 and below 4.7.175.29 is affected.
- Version 4.7.188 and below 4.7.188.11 is affected.
- Version 4.7.204 and below 4.7.204.12 is affected.
- Version 4.7.221 and below 4.7.221.6 is affected.
- Version 4.7.245 and below 4.7.245.6 is affected.
- Version 4.7.259, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.