Security Advisory WSO2-2025-4510/CVE-2025-11093¶
Published: 2025-11-05
Version: 1.0.0
Severity: High
CVSS Score: 8.4 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE IDs: CVE-2025-11093
AFFECTED PRODUCTS¶
- WSO2 API Control Plane 4.5.0
- WSO2 API Manager 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0
- WSO2 Enterprise Integrator 6.6.0
- WSO2 Micro Integrator 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0
- WSO2 Traffic Manager 4.5.0
- WSO2 Universal Gateway 4.5.0
OVERVIEW¶
Arbitrary code execution with higher privileged users via GraalJS and NashornJS Script Mediator engines.
DESCRIPTION¶
A malicious authenticated actor with higher privileges can execute arbitrary code due to a lack of controls on the GraalJS and NashornJS Script Mediator engines.
By default, access to Script Mediator engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager it is available to both administrators and API creators.
Note
The previously issued advisory WSO2-2023-2938 addresses the Rhino mediation engine. Please refer to that advisory for additional details. The current advisory (WSO2-2025-4510) provides the required steps to secure Rhino, GraalJS, and NashornJS in script mediation by allowing or blocking Java classes. However, Java method-based allow listing or block listing is not applicable to GraalJS or NashornJS. This functionality is only supported by Rhino discussed in WSO2-2023-2938.
IMPACT¶
By leveraging the vulnerability, a malicious actor may perform an arbitrary remote code execution attack.
SOLUTION¶
Community Users (Open Source)¶
Apply the relevant fixes to your product using the public fix(es) provided below.
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level or a higher update level to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | U2 Update Level |
|---|---|---|
| WSO2 API Control Plane | 4.5.0 | 29 |
| WSO2 API Manager | 4.5.0 | 28 |
| WSO2 API Manager | 4.4.0 | 45 |
| WSO2 API Manager | 4.3.0 | 81 |
| WSO2 API Manager | 4.2.0 | 169 |
| WSO2 API Manager | 4.1.0 | 228 |
| WSO2 API Manager | 4.0.0 | 366 |
| WSO2 API Manager | 3.2.1 | 66 |
| WSO2 API Manager | 3.2.0 | 446 |
| WSO2 API Manager | 3.1.0 | 345 |
| WSO2 Enterprise Integrator | 6.6.0 | 224 |
| WSO2 Micro Integrator | 4.4.0 | 27 |
| WSO2 Micro Integrator | 4.3.0 | 42 |
| WSO2 Micro Integrator | 4.2.0 | 141 |
| WSO2 Micro Integrator | 4.1.0 | 147 |
| WSO2 Micro Integrator | 4.0.0 | 145 |
| WSO2 Traffic Manager | 4.5.0 | 27 |
| WSO2 Universal Gateway | 4.5.0 | 27 |
Once you apply the fix using one of the methods mentioned above, it is necessary to follow the instructions provided below according to your specific requirements.
If the Script Mediator is not required for your business use cases, add the following configuration to the deployment.toml file to safeguard your deployment by preventing the execution of script mediation engines.
Edit the file at the product-specific path:
* WSO2 API Manager:
[synapse_properties]
'limit_java_class_access_in_scripts.enable' = true
'limit_java_class_access_in_scripts.list_type' = "BLOCK_LIST"
'limit_java_class_access_in_scripts.class_prefixes' = "java.lang,java.io,java.nio,java.net"
If you have use cases which require usage of Java classes in the Script Mediator, you may fine tune Class level access as detailed below, depending on the use case of the mediation sequence.
We have provided a sample configuration based on the use case where the mediation sequence requires usage of java.util.ArrayList class.
var s = new java.util.ArrayList();
Configuration:¶
In WSO2 API Manager and WSO2 Micro Integrator, you can configure the above policy in the deployment.toml file:
- For API Manager:
/repository/conf/deployment.toml - For Micro Integrator:
/conf/deployment.toml
[synapse_properties]
'limit_java_class_access_in_scripts.enable' = true
'limit_java_class_access_in_scripts.list_type' = "ALLOW_LIST"
# Prefixes of class names, to be allowed or blocked (based on 'limit_java_class_access_in_scripts.list_type')
'limit_java_class_access_in_scripts.class_prefixes' = "java.util.ArrayList"
Similar to ALLOW_LIST, you can also use a BLOCK_LIST as follows, to specifically block only the usage of java.lang.Runtime class.
[synapse_properties]
'limit_java_class_access_in_scripts.enable' = true
'limit_java_class_access_in_scripts.list_type' = "BLOCK_LIST"
# Prefixes of class names, to be allowed or blocked (based on 'limit_java_class_access_in_scripts.list_type')
'limit_java_class_access_in_scripts.class_prefixes' = "java.lang.Runtime"
In WSO2 Enterprise Integrator, the above mentioned policy can be configured in the <EI_HOME>/conf/synapse.properties as follows:
limit_java_class_access_in_scripts.enable = true
limit_java_class_access_in_scripts.list_type = ALLOW_LIST
# Prefixes of class names, to be allowed or blocked (based on 'limit_java_class_access_in_scripts.list_type')
limit_java_class_access_in_scripts.class_prefixes = java.util.ArrayList
Info
The previously issued advisory WSO2-2023-2938 addresses the Rhino mediation engine. Please refer to that advisory for additional details. The current advisory (WSO2-2025-4510) provides the required steps to secure Rhino, GraalJS, and NashornJS in script mediation by allowing or blocking Java classes. However, Java method-based allow listing or block listing is not applicable to GraalJS or NashornJS. This functionality is only supported by Rhino, which is already covered under WSO2-2023-2938.
CREDITS¶
WSO2 thanks, crnković for responsibly reporting the identified issue and working with us as we addressed it.