Unrated severityNVD Advisory· Published Nov 5, 2025· Updated Jan 20, 2026
Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution
CVE-2025-3125
Description
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).
This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4- Range: 4.5.0
- WSO2/org.wso2.carbon.commons:org.wso2.carbon.application.uploadv5Range: 4.7.19
- WSO2/WSO2 Open Banking IAMv5Range: 2.0.0
- WSO2/WSO2 Universal Gatewayv5Range: 4.5.0
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.