Security Advisory WSO2-2025-3993/CVE-2025-2905¶
Published: 2025-05-05
Updated: 2025-10-16
Version: 2.0.0
Severity: Critical
CVSS Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
CVE IDs: CVE-2025-2905
AFFECTED PRODUCTS¶
- WSO2 API Manager 4.2.0, 4.1.0, 4.0.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0, 2.0.0
- WSO2 Enterprise Integrator 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0, 6.1.1, 6.1.0, 6.0.0
- WSO2 Enterprise Service Bus 5.0.0, 4.9.0
- WSO2 Micro integrator 4.2.0, 4.1.0, 4.0.0, 1.2.0, 1.1.0, 1.0.0
- WSO2 Open Banking AM 1.5.0
OVERVIEW¶
An XML External Entity (XXE) vulnerability.
DESCRIPTION¶
Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution.
IMPACT¶
A successful XXE attack could allow a remote, unauthenticated attacker to:
- Read sensitive files from the server's filesystem.
- Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.
SOLUTION¶
Community Users (Open Source)¶
Migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level or a higher update level to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | U2 Update Level |
|---|---|---|
| WSO2 API Manager | 4.2.0 | 122 |
| WSO2 API Manager | 4.1.0 | 152 |
| WSO2 API Manager | 4.0.0 | 311 |
| WSO2 Micro integrator | 4.2.0 | 112 |
| WSO2 Micro integrator | 4.1.0 | 115 |
| WSO2 Micro integrator | 4.0.0 | 132 |
| WSO2 Micro integrator | 1.2.0 | 162 |
Configuration Changes (mandatory)¶
For the WSO2 products listed below, create a file named XMLInputFactory.properties if not found in PRODUCT_HOME, and ensure the following configurations are applied to resolve the issue. Hence, for these products no additional U2 update is required.
- WSO2 API Manager 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0, 2.0.0
- WSO2 Enterprise Integrator 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0, 6.1.1, 6.1.0, 6.0.0
- WSO2 Enterprise Service Bus 5.0.0, 4.9.0
- WSO2 Micro integrator 1.1.0, 1.0.0
- WSO2 Open Banking AM 1.5.0
XMLInputFactory.properties content:
javax.xml.stream.supportDTD=false
javax.xml.stream.isSupportingExternalEntities=false
CREDITS¶
WSO2 thanks, crnkovic for responsibly reporting the identified issue and working with us as we addressed it.