VYPR
← All advisories
Critical severityNVD Advisory· Published Feb 19, 2026· Updated Mar 6, 2026

Authenticated arbitrary file upload via a System REST API requiring administrator permission.

CVE-2025-13590

Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.implMaven
< 9.32.1679.32.167

Affected products

3

Patches

1
49a6427b39a5

Merge pull request #13560 from PasanT9/fix-112

https://github.com/wso2/carbon-apimgtPasan TennakoonJan 23, 2026via ghsa
commit
2 files changed · +21 1
  • components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/importexport/ImportExportConstants.java+1 0 modified
    @@ -72,6 +72,7 @@ public final class ImportExportConstants {
 
     public static final String JSON_EXTENSION = ".json";
     public static final String YAML_EXTENSION = ".yaml";
+    public static final String YML_EXTENSION = ".yml";
 
     // Image resource
     public static final String IMAGE_RESOURCE = "Image";
  • components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/admin/v1/impl/ThrottlingApiServiceImpl.java+20 1 modified
    @@ -1225,13 +1225,32 @@ public Response exportThrottlingPolicy(String policyId, String policyName, Strin
      */
     public static ExportThrottlePolicyDTO getImportedPolicy(InputStream uploadedInputStream, Attachment fileDetail)
             throws ParseException, APIImportExportException, IOException {
+
         File importFolder = CommonUtil.createTempDirectory(null);
         String uploadFileName = fileDetail.getContentDisposition().getFilename();
-        String fileType = (uploadFileName.contains(ImportExportConstants.YAML_EXTENSION)) ?
+        if (StringUtils.isEmpty(uploadFileName)) {
+            throw new APIImportExportException("Invalid file name. File name cannot be null or empty.");
+        }
+        // Validate file extension to prevent uploading unauthorized file types
+        String lowerCaseFileName = uploadFileName.toLowerCase();
+        boolean isYamlFile =
+                lowerCaseFileName.endsWith(ImportExportConstants.YAML_EXTENSION) || lowerCaseFileName.endsWith(
+                        ImportExportConstants.YML_EXTENSION);
+        boolean isJsonFile = lowerCaseFileName.endsWith(ImportExportConstants.JSON_EXTENSION);
+        if (!isYamlFile && !isJsonFile) {
+            throw new APIImportExportException("Invalid file type. Only YAML and JSON files are allowed.");
+        }
+        String fileType = isYamlFile ?
                 ImportExportConstants.EXPORT_POLICY_TYPE_YAML :
                 ImportExportConstants.EXPORT_POLICY_TYPE_JSON;
+        // Validating the canonical path
         String absolutePath = importFolder.getAbsolutePath() + File.separator + uploadFileName;
         File targetFile = new File(absolutePath);
+        String canonicalPath = targetFile.getCanonicalPath();
+        String canonicalImportPath = importFolder.getCanonicalPath();
+        if (!canonicalPath.startsWith(canonicalImportPath + File.separator)) {
+            throw new APIImportExportException("Invalid file name.");
+        }
         FileUtils.copyInputStreamToFile(uploadedInputStream, targetFile);
         return preprocessImportedArtifact(absolutePath, fileType);
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.