Security Advisory WSO2-2025-4401/CVE-2025-8325¶
Published: 2026-01-26
Version: 1.0.0
Severity: Medium
CVSS Score: 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVE IDs: CVE-2025-8325
AFFECTED PRODUCTS¶
- WSO2 API Control Plane: 4.5.0
- WSO2 API Manager: 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0
- WSO2 Traffic Manager: 4.5.0
- WSO2 Universal Gateway: 4.5.0
OVERVIEW¶
Improper access control permits Gateway API invocation using Internal/Everyone role.
DESCRIPTION¶
Due to the improper permission check, users with the Internal/Everyone role can invoke the Gateway APIs which may lead to unauthorized access on the deployment.
Additionally, this same vulnerability leads to bypassing access control checks for Internal Service APIs. Exploiting Internal Service APIs via the Traffic Manager is highly improbable in APIM 4.x versions as it is not externally exposed. However, in APIM 3.x versions Internal Service APIs may be accessible externally exposing the vulnerable endpoints.
IMPACT¶
By leveraging the identified issue, a malicious actor with a valid user account on the vulnerable deployment could perform sensitive operations against Gateway REST API [1] regardless of their actual roles or privileges. This opens up the possibility for unintended behavior or misuse, especially in production environments.
[1] https://apim.docs.wso2.com/en/4.5.0/reference/product-apis/gateway-apis/gateway-v2/gateway-v2/#
SOLUTION¶
Community Users (Open Source)¶
Apply the relevant fixes to your product using the public fix(es) provided below.
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | Update Level |
|---|---|---|
| WSO2 API Control Plane | 4.5.0 | 18 |
| WSO2 API Manager | 4.5.0 | 17 |
| WSO2 API Manager | 4.4.0 | 33 |
| WSO2 API Manager | 4.3.0 | 70 |
| WSO2 API Manager | 4.2.0 | 157 |
| WSO2 API Manager | 4.1.0 | 219 |
| WSO2 API Manager | 4.0.0 | 355 |
| WSO2 API Manager | 3.2.1 | 55 |
| WSO2 API Manager | 3.2.0 | 435 |
| WSO2 Traffic Manager | 4.5.0 | 17 |
| WSO2 Universal Gateway | 4.5.0 | 17 |