VYPR
Unrated severityNVD Advisory· Published Nov 5, 2025· Updated Jan 20, 2026

Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution

CVE-2025-3125

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).

This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

4
  • WSO2/org.wso2.carbon.commons:org.wso2.carbon.application.uploadv5
    Range: 4.7.19
  • WSO2/WSO2 Open Banking IAMv5
    Range: 2.0.0
  • WSO2/WSO2 Universal Gatewayv5
    Range: 4.5.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.