{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-2905","assignerOrgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","state":"PUBLISHED","assignerShortName":"WSO2","dateReserved":"2025-03-28T08:46:09.062Z","datePublished":"2025-05-05T09:02:01.489Z","dateUpdated":"2025-10-16T11:39:21.741Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"WSO2 API Manager","vendor":"WSO2","versions":[{"lessThan":"2.0.0","status":"affected","version":"0","versionType":"custom"},{"status":"affected","version":"2.1.0","versionType":"custom"},{"status":"affected","version":"2.2.0","versionType":"custom"},{"status":"affected","version":"2.5.0","versionType":"custom"},{"status":"affected","version":"2.6.0","versionType":"custom"},{"status":"affected","version":"3.0.0","versionType":"custom"},{"status":"affected","version":"3.1.0","versionType":"custom"},{"lessThan":"4.0.0.311","status":"affected","version":"4.0.0","versionType":"custom"},{"lessThan":"4.1.0.152","status":"affected","version":"4.1.0","versionType":"custom"},{"lessThan":"4.2.0.122","status":"affected","version":"4.2.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Enterprise Integrator","vendor":"WSO2","versions":[{"lessThan":"6.0.0","status":"unknown","version":"0","versionType":"custom"},{"status":"affected","version":"6.0.0","versionType":"custom"},{"status":"affected","version":"6.1.0","versionType":"custom"},{"status":"affected","version":"6.1.1","versionType":"custom"},{"status":"affected","version":"6.2.0","versionType":"custom"},{"status":"affected","version":"6.3.0","versionType":"custom"},{"status":"affected","version":"6.4.0","versionType":"custom"},{"status":"affected","version":"6.5.0","versionType":"custom"},{"status":"affected","version":"6.6.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Enterprise Service Bus","vendor":"WSO2","versions":[{"lessThan":"4.9.0","status":"unknown","version":"0","versionType":"custom"},{"status":"affected","version":"4.9.0","versionType":"custom"},{"status":"affected","version":"5.0.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Micro integrator","vendor":"WSO2","versions":[{"lessThan":"1.0.0","status":"unknown","version":"0","versionType":"custom"},{"status":"affected","version":"1.0.0","versionType":"custom"},{"status":"affected","version":"1.1.0","versionType":"custom"},{"lessThan":"1.2.0.162","status":"affected","version":"1.2.0","versionType":"custom"},{"lessThan":"4.0.0.132","status":"affected","version":"4.0.0","versionType":"custom"},{"lessThan":"4.1.0.115","status":"affected","version":"4.1.0","versionType":"custom"},{"lessThan":"4.2.0.112","status":"affected","version":"4.2.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Open Banking AM","vendor":"WSO2","versions":[{"lessThan":"1.5.0","status":"unknown","version":"0","versionType":"custom"},{"status":"affected","version":"1.5.0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"reporter","value":"crnkovic"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.

A successful XXE attack could allow a remote, unauthenticated attacker to:
"}],"value":"Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.\n\nA successful XXE attack could allow a remote, unauthenticated attacker to:\n * Read sensitive files from the server’s filesystem.\n * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-611","description":"CWE-611 Improper Restriction of XML External Entity Reference","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","shortName":"WSO2","dateUpdated":"2025-10-16T11:39:21.741Z"},"references":[{"tags":["vendor-advisory"],"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3...
"}],"value":"Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution"}],"source":{"advisory":"WSO2-2025-3993","discovery":"EXTERNAL"},"title":"An XML External Entity (XXE) vulnerability in Multiple WSO2 Products","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-05-05T12:44:33.257401Z","id":"CVE-2025-2905","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-05T12:45:10.518Z"}}]}}