Unrated severityNVD Advisory· Published Nov 5, 2025· Updated Jan 20, 2026

Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution

CVE-2025-3125

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).

This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

Affected products

Wso2/Wso2 Traffic Managerv5
Range: 4.5.0
WSO2/org.wso2.carbon.commons:org.wso2.carbon.application.uploadv5
Range: 4.7.19
WSO2/WSO2 Open Banking IAMv5
Range: 2.0.0
WSO2/WSO2 Universal Gatewayv5
Range: 4.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3961/mitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000