CVE-2025-59340¶
WSO2 Products Impacted: Limited
WSO2 Products Severity: Medium
WSO2 Products CVSS Score: 6.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Customers Actions Required: No
REPORTED VULNERABILITY¶
A deserialization vulnerability in Jinjava (prior to 2.8.1) that allowed attacker-controlled input — via mapper.getTypeFactory().constructFromCanonical() — to force Jackson's ObjectMapper to deserialize into arbitrary classes, enabling sandbox escape (e.g., instantiating java.net.URL to read local files) and potentially leading to remote code execution; fixed in 2.8.1. 1
REPORTED PRODUCTS¶
- WSO2 API Manager: 3.2.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0
- WSO2 Identity Server: 7.2.0, 7.1.0, 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0
- WSO2 Integrator: MI: 4.1.0, 4.2.0, 4.3.0, 4.4.0
- WSO2 Enterprise Integrator: 6.6.0
WSO2 JUSTIFICATION¶
Jinjava is utilized solely for templating configurations file of WSO2 products. The vulnerability would only be exploitable if a malicious actor could gain write access to the filesystem hosting WSO2 product or relevant configuration directories. Under normal circumstances, and when deployments are hardened in accordance with WSO2’s Secure Production Deployment Guidelines 2, this vulnerability is not practically exploitable.
Upon evaluating the impact of upgrading Jinjava from version 2.6.0 to 2.8.1, we identified notable architectural changes that introduce compatibility challenges. Specifically, Jinjava 2.8.1 does not support the Java 11 runtime, while certain WSO2 products are designed to operate on Java 11 and above. In light of this concern, we are publishing this CVE justification with a detailed analysis, demonstrating how the associated risks are effectively mitigated within WSO2 products. Nevertheless, our engineering team is actively working on a feasible solution to fully remediate the identified vulnerability in alignment with the WSO2 Support SLA 3, despite the fact that practical exploitation in a hardened deployment environment is not practically possible.