Critical severityNVD Advisory· Published May 5, 2025· Updated Oct 16, 2025
An XML External Entity (XXE) vulnerability in Multiple WSO2 Products
CVE-2025-2905
Description
Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.
A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wso2.am:am-distribution-parentMaven | < 2.1.0 | 2.1.0 |
Affected products
6- WSO2/WSO2 API Managerv5Range: 0
- WSO2/WSO2 Enterprise Integratorv5Range: 6.0.0
- WSO2/WSO2 Enterprise Service Busv5Range: 4.9.0
- WSO2/WSO2 Micro integratorv5Range: 1.0.0
- WSO2/WSO2 Open Banking AMv5Range: 1.5.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-h94w-8qhg-3xmcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-2905ghsaADVISORY
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/mitrevendor-advisory
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993ghsaWEB
News mentions
0No linked articles in our index yet.