XXE in WSO2 API Manager Gateway: Unauth Remote File Read & DoS
CVE-2025-2905 Published on May 5, 2025

An XML External Entity (XXE) vulnerability in Multiple WSO2 Products
Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the servers filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-2905 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

NONE

Availability Impact:

HIGH

Weakness Type

What is a XXE Vulnerability?

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVE-2025-2905 has been classified to as a XXE vulnerability or weakness.

Products Associated with CVE-2025-2905

Want to know whenever a new CVE is published for Wso2 products? stack.watch will email you.

Wso2 Api Manager

Wso2 Enterprise Integrator

Wso2 Micro Integrator

Affected Versions

WSO2 API Manager:

Before 2.0.0 is affected.
Version 2.1.0 is affected.
Version 2.2.0 is affected.
Version 2.5.0 is affected.
Version 2.6.0 is affected.
Version 3.0.0 is affected.
Version 3.1.0 is affected.
Version 4.0.0 and below 4.0.0.311 is affected.
Version 4.1.0 and below 4.1.0.152 is affected.
Version 4.2.0 and below 4.2.0.122 is affected.

WSO2 Enterprise Integrator:

Before 6.0.0 is unknown.
Version 6.0.0 is affected.
Version 6.1.0 is affected.
Version 6.1.1 is affected.
Version 6.2.0 is affected.
Version 6.3.0 is affected.
Version 6.4.0 is affected.
Version 6.5.0 is affected.
Version 6.6.0 is affected.

WSO2 Enterprise Service Bus:

Before 4.9.0 is unknown.
Version 4.9.0 is affected.
Version 5.0.0 is affected.

WSO2 Micro integrator:

Before 1.0.0 is unknown.
Version 1.0.0 is affected.
Version 1.1.0 is affected.
Version 1.2.0 and below 1.2.0.162 is affected.
Version 4.0.0 and below 4.0.0.132 is affected.
Version 4.1.0 and below 4.1.0.115 is affected.
Version 4.2.0 and below 4.2.0.112 is affected.

WSO2 Open Banking AM:

Before 1.5.0 is unknown.
Version 1.5.0 is affected.

Exploit Probability

EPSS

0.13%

Percentile

32.54%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

XXE in WSO2 API Manager Gateway: Unauth Remote File Read & DoSCVE-2025-2905 Published on May 5, 2025

Vulnerability Analysis

Weakness Type

What is a XXE Vulnerability?

Products Associated with CVE-2025-2905

Affected Versions

Exploit Probability

XXE in WSO2 API Manager Gateway: Unauth Remote File Read & DoS
CVE-2025-2905 Published on May 5, 2025