VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 5, 2025· Updated Nov 5, 2025

XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration

CVE-2025-10713

Description

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.

A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.wso2.carbon.mediation:org.wso2.carbon.localentryMaven
>= 0

Affected products

4

Patches

1
b995b2f1db96

Merge pull request #1784 from hisanhunais/parser-fix

https://github.com/wso2/carbon-mediationNaduni PamudikaSep 22, 2025via ghsa
commit
1 file changed · +2 0
  • components/mediation-admin/org.wso2.carbon.localentry/src/main/java/org/wso2/carbon/localentry/service/LocalEntryAdmin.java+2 0 modified
    @@ -668,6 +668,8 @@ private OMElement nonCoalescingStringToOm(String xmlStr) throws XMLStreamExcepti
         XMLInputFactory xmlInFac = XMLInputFactory.newInstance();
         //Non-Coalescing parsing
         xmlInFac.setProperty("javax.xml.stream.isCoalescing", false);
+        xmlInFac.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+        xmlInFac.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
 
         XMLStreamReader parser = xmlInFac.createXMLStreamReader(strReader);
         StAXOMBuilder builder = new StAXOMBuilder(parser);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.