Security Advisory WSO2-2021-1646

Published: March 08, 2022

Version: 1.0.0

Severity: Medium

CVSS Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)


  • WSO2 API Manager : 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0 , 2.6.0 , 2.5.0 , 2.2.0
  • WSO2 Identity Server : 5.11.0 , 5.10.0 , 5.9.0 , 5.8.0 , 5.7.0 , 5.6.0 , 5.5.0 , 5.4.1
  • WSO2 IoT Server: 3.3.1


A potential open redirection vulnerability in callback URL.


The WSO2 Secure Deployment guide recommended regex callback URI validation is vulnerable to potential open redirection vulnerability.


By using social engineering techniques, an attacker could persuade a user to click on a valid link (but with a malicious payload) and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise.


In order to mitigate the identified vulnerability, It is highly recommended to apply the below given configuration into the following function following path.

Service Provider > Add/Edit Service Provider > Inbound Authentication Configuration > OAuth/OpenIDConnect Configuration > Configure

Callback URL => regexp=(https://((example1\.com)|(example2:8000))(/callback))

Here example1 and example2 are sample URLs

Moreover, the product documentation is updated with the corrected configuration samples.


WSO2 thanks, Điện Phạm for responsibly reporting the identified issue and working with us as we addressed it.