WSO2 Carbon Console CSRF via GET in Admin Service State-Changing Ops
CVE-2025-6670 Published on November 18, 2025

Cross-Site Request Forgery (CSRF) in Multiple WSO2 Products via HTTP GET in Admin Services
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-6670 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

What is a Session Riding Vulnerability?

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

CVE-2025-6670 has been classified to as a Session Riding vulnerability or weakness.

Products Associated with CVE-2025-6670

Want to know whenever a new CVE is published for Wso2 products? stack.watch will email you.

Wso2 Traffic Manager

Wso2 Universal Gateway

Wso2 Api Control Plane

Wso2 Api Manager

Wso2 Identity Server

Wso2 Identity Server As Key Manager

Wso2 Enterprise Integrator

Org Wso2 Carbon Org Wso2 Carbon Ui

Affected Versions

WSO2 Open Banking AM:

Before 2.0.0 is unknown.
Version 2.0.0 and below 2.0.0.398 is unaffected.

WSO2 Open Banking IAM:

Before 2.0.0 is unknown.
Version 2.0.0 and below 2.0.0.418 is unaffected.

WSO2 Traffic Manager:

Version 4.5.0 and below 4.5.0.34 is affected.
Version 4.6.0 and below 4.6.0.1 is affected.

WSO2 Universal Gateway:

Version 4.5.0 and below 4.5.0.34 is affected.
Version 4.6.0 and below 4.6.0.1 is affected.

WSO2 API Control Plane:

Version 4.5.0 and below 4.5.0.36 is affected.
Version 4.6.0 and below 4.6.0.1 is affected.

WSO2 API Manager:

Before 3.1.0 is unknown.
Version 3.1.0 and below 3.1.0.349 is affected.
Version 3.2.0 and below 3.2.0.453 is affected.
Version 3.2.1 and below 3.2.1.73 is affected.
Version 4.0.0 and below 4.0.0.373 is affected.
Version 4.1.0 and below 4.1.0.236 is affected.
Version 4.2.0 and below 4.2.0.176 is affected.
Version 4.3.0 and below 4.3.0.88 is affected.
Version 4.4.0 and below 4.4.0.52 is affected.
Version 4.5.0 and below 4.5.0.35 is affected.
Version 4.6.0 and below 4.6.0.1 is affected.

WSO2 Identity Server:

Before 5.10.0 is unknown.
Version 5.10.0 and below 5.10.0.378 is affected.
Version 5.11.0 and below 5.11.0.425 is affected.
Version 6.0.0 and below 6.0.0.252 is affected.
Version 6.1.0 and below 6.1.0.253 is affected.
Version 7.0.0 and below 7.0.0.130 is affected.
Version 7.1.0 and below 7.1.0.38 is affected.
Version 7.2.0 and below 7.2.0.1 is affected.

WSO2 Identity Server as Key Manager:

Before 5.10.0 is unknown.
Version 5.10.0 and below 5.10.0.369 is affected.

WSO2 Enterprise Integrator:

Before 6.6.0 is unknown.
Version 6.6.0 and below 6.6.0.226 is affected.

org.wso2.carbon:org.wso2.carbon.ui:

Version 4.5.3 and below 4.5.3.50 is affected.
Version 4.6.0 and below 4.6.0.2253 is affected.
Version 4.6.1 and below 4.6.1.157 is affected.
Version 4.6.2 and below 4.6.2.673 is affected.
Version 4.6.3 and below 4.6.3.41 is affected.
Version 4.6.4 and below 4.6.4.22 is affected.
Version 4.7.1 and below 4.7.1.73 is affected.
Version 4.8.1 and below 4.8.1.43 is affected.
Version 4.9.0 and below 4.9.0.106 is affected.
Version 4.9.26 and below 4.9.26.31 is affected.
Version 4.9.27 and below 4.9.27.16 is affected.
Version 4.9.28 and below 4.9.28.18 is affected.
Version 4.9.33 and below 4.9.33.2 is affected.
Version 4.10.9 and below 4.10.9.75 is affected.
Version 4.10.42 and below 4.10.42.18 is affected.
Version 4.10.101 and below 4.10.101.3 is affected.
Version 4.9.29, <= 4.9.29.* is unaffected.
Version 4.10.65, <= 4.10.* is unaffected.

Exploit Probability

EPSS

0.02%

Percentile

5.82%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

WSO2 Carbon Console CSRF via GET in Admin Service State-Changing OpsCVE-2025-6670 Published on November 18, 2025

Vulnerability Analysis

Weakness Type

What is a Session Riding Vulnerability?

Products Associated with CVE-2025-6670

Affected Versions

Exploit Probability

WSO2 Carbon Console CSRF via GET in Admin Service State-Changing Ops
CVE-2025-6670 Published on November 18, 2025