CVE-2025-10503

Vulnerability

Analysis

CVE-2025-10503 is a reflected cross-site scripting (XSS) vulnerability in WSO2 Identity Server 7.1.0. The root cause lies in the authentication endpoint, which accepts user-supplied input without enforcing the expected validation constraints, leading to a lack of proper output encoding [1]. This allows an attacker to inject a malicious JavaScript payload through an unrestricted user input field [1].

Exploitation

To exploit this vulnerability, an attacker needs to craft a link containing a malicious payload and trick a valid user into clicking it. The attack is unauthenticated, requires user interaction, and is network-based (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) [1]. Since the input is reflected back without encoding, the payload executes in the victim's browser in the context of the vulnerable application [1].

Impact

A successful attack can redirect the victim's browser to a malicious website, modify the user interface of the web page, retrieve sensitive information from the browser, or cause other harmful actions [1]. However, because all session-related sensitive cookies are set with the httpOnly flag, session hijacking or similar attacks are not possible [1]. The impact is limited to partial loss of confidentiality and integrity, integrity, and availability.

Mitigation

WSO2 has released fixes for the issue, available via a public pull request on the identity-apps repository [1]. Users are advised to apply the relevant fix by updating their WSO2 Identity Server to update level 28 or higher, or to migrate to the latest unaffected version [1]. If patching is not immediately feasible, a workaround is not provided; the vendor recommends updating or migrating [1].