VYPR
Critical severityNVD Advisory· Published May 5, 2025· Updated Oct 16, 2025

An XML External Entity (XXE) vulnerability in Multiple WSO2 Products

CVE-2025-2905

Description

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.

A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.wso2.am:am-distribution-parentMaven
< 2.1.02.1.0

Affected products

6
  • WSO2/WSO2 API Managerv5
    Range: 0
  • WSO2/WSO2 Enterprise Integratorv5
    Range: 6.0.0
  • WSO2/WSO2 Enterprise Service Busv5
    Range: 4.9.0
  • WSO2/WSO2 Micro integratorv5
    Range: 1.0.0
  • WSO2/WSO2 Open Banking AMv5
    Range: 1.5.0

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.