CVE-2025-46392¶
WSO2 Products impacted: no
Customers actions required: no
REPORTED VULNERABILITY¶
A Denial of Service (DoS) vulnerability in Apache Commons Configuration 1.x which can be exploited by supplying a specially crafted configuration file containing malicious or recursive variable interpolation, leading to uncontrolled resource consumption 1.
REPORTED PRODUCTS¶
- WSO2 Identity Server : 7.0.0, 7.1.0, 7.2.0
- WSO2 API Manager : 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0
WSO2 JUSTIFICATION¶
Upon evaluating the impact of upgrading Apache Commons Configuration from version 1.x to 2.x, we identified significant architectural changes that introduce compatibility issues. Version 1.x uses the org.apache.commons.configuration.* package hierarchy, whereas version 2.x has been restructured under org.apache.commons.configuration2.*, with major modifications. Additionally, to make commons-configuration2 function as an OSGi service within the product, several new dependencies must be introduced, increasing the integration complexity. Due to these concerns, we are publishing this CVE justification with a detailed analysis of the CVE, outlining how associated risks are mitigated in WSO2 products.
The reported vulnerability involves uncontrolled resource consumption via malicious or recursive variable interpolation in configuration files. The affected component is used exclusively to load the following configuration files that are not user-controllable in deployment scenarios:
* In WSO2 Identity Server : log4j2.properties
* In WSO2 API Manager : log4j2.properties and Java Message Service (JMS) configuration files.
Therefore, unless an attacker has write access to the server’s filesystem or configuration directories, the vulnerability is not exploitable in practice. Assuming proper server hardening and file system access controls, this issue poses no practical risk.