Arbitrary Code Exec via Unrestricted GraalJS/NashornJS in WSO2 Integrators
CVE-2025-11093 Published on November 5, 2025

Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS)
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.

Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

LOW

Privileges Required:

HIGH

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2025-11093 has been classified to as a Code Injection vulnerability or weakness.

Products Associated with CVE-2025-11093

Want to know whenever a new CVE is published for Wso2 products? stack.watch will email you.

Wso2 Micro Integrator

Wso2 Api Manager

Wso2 Enterprise Integrator

Wso2 Universal Gateway

Wso2 Api Control Plane

Wso2 Traffic Manager

Wso2 Open Banking Iam

Wso2 Open Banking Am

Wso2 Identity Server As Key Manager

Wso2 Org Apache Synapse Synapse Core

Wso2 Org Apache Synapse Synapse Extensions

Affected Versions

WSO2 Micro Integrator:

Before 4.0.0 is unknown.
Version 4.0.0 and below 4.0.0.145 is affected.
Version 4.1.0 and below 4.1.0.147 is affected.
Version 4.2.0 and below 4.2.0.141 is affected.
Version 4.3.0 and below 4.3.0.42 is affected.
Version 4.4.0 and below 4.4.0.27 is affected.

WSO2 API Manager:

Before 3.1.0 is unknown.
Version 3.1.0 and below 3.1.0.345 is affected.
Version 3.2.0 and below 3.2.0.446 is affected.
Version 3.2.1 and below 3.2.1.66 is affected.
Version 4.0.0 and below 4.0.0.366 is affected.
Version 4.1.0 and below 4.1.0.228 is affected.
Version 4.2.0 and below 4.2.0.169 is affected.
Version 4.3.0 and below 4.3.0.81 is affected.
Version 4.4.0 and below 4.4.0.45 is affected.
Version 4.5.0 and below 4.5.0.28 is affected.

WSO2 Enterprise Integrator:

Before 6.6.0 is unknown.
Version 6.6.0 and below 6.6.0.224 is affected.

WSO2 Universal Gateway:

Version 4.5.0 and below 4.5.0.27 is affected.

WSO2 API Control Plane:

Version 4.5.0 and below 4.5.0.29 is affected.

WSO2 Traffic Manager:

Version 4.5.0 and below 4.5.0.27 is affected.

WSO2 Open Banking IAM:

Before 2.0.0 is unknown.
Version 2.0.0 and below 2.0.0.414 is affected.

WSO2 Open Banking AM:

Before 2.0.0 is unknown.
Version 2.0.0 and below 2.0.0.394 is affected.

WSO2 Identity Server as Key Manager:

Before 5.10.0 is unknown.
Version 5.10.0 and below 5.10.0.365 is affected.

WSO2 org.apache.synapse:synapse-core:

Version 2.1.7.wso2v227 and below 2.1.7.wso2v227_99 is affected.
Version 2.1.7.wso2v271 and below 2.1.7.wso2v271_88 is affected.
Version 2.1.7.wso2v143 and below 2.1.7.wso2v143_121 is affected.
Version 2.1.7.wso2v319 and below 2.1.7.wso2v319_13 is affected.
Version 2.1.7.wso2v183 and below 2.1.7.wso2v183_72 is affected.
Version 4.0.0.wso2v119 and below 4.0.0.wso2v119_27 is affected.
Version 4.0.0.wso2v20 and below 4.0.0.wso2v20_93 is affected.
Version 4.0.0.wso2v215 and below 4.0.0.wso2v215_26 is affected.
Version 4.0.0.wso2v218 and below 4.0.0.wso2v218_1 is affected.
Version 4.0.0.wso2v105 and below 4.0.0.wso2v105_13 is affected.
Version 4.0.0.wso2v131 and below 4.0.0.wso2v131_5 is affected.
Version 4.0.0-wso2v254, <= * is unaffected.

WSO2 org.apache.synapse:synapse-extensions:

Version 2.1.7.wso2v227 and below 2.1.7.wso2v227_99 is affected.
Version 2.1.7.wso2v271 and below 2.1.7.wso2v271_88 is affected.
Version 2.1.7.wso2v143 and below 2.1.7.wso2v143_121 is affected.
Version 2.1.7.wso2v319 and below 2.1.7.wso2v319_13 is affected.
Version 2.1.7.wso2v183 and below 2.1.7.wso2v183_72 is affected.
Version 4.0.0.wso2v119 and below 4.0.0.wso2v119_27 is affected.
Version 4.0.0.wso2v20 and below 4.0.0.wso2v20_93 is affected.
Version 4.0.0.wso2v215 and below 4.0.0.wso2v215_26 is affected.
Version 4.0.0.wso2v218 and below 4.0.0.wso2v218_1 is affected.
Version 4.0.0.wso2v105 and below 4.0.0.wso2v105_13 is affected.
Version 4.0.0.wso2v131 and below 4.0.0.wso2v131_5 is affected.
Version 4.0.0-wso2v254, <= * is unaffected.

Exploit Probability

EPSS

0.11%

Percentile

28.77%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Arbitrary Code Exec via Unrestricted GraalJS/NashornJS in WSO2 IntegratorsCVE-2025-11093 Published on November 5, 2025

Vulnerability Analysis

Weakness Type

What is a Code Injection Vulnerability?

Products Associated with CVE-2025-11093

Affected Versions

Exploit Probability

Arbitrary Code Exec via Unrestricted GraalJS/NashornJS in WSO2 Integrators
CVE-2025-11093 Published on November 5, 2025