{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-8154","assignerOrgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","state":"PUBLISHED","assignerShortName":"WSO2","dateReserved":"2025-07-25T06:42:23.104Z","datePublished":"2026-05-11T09:30:36.027Z","dateUpdated":"2026-05-11T12:43:47.037Z"},"containers":{"cna":{"providerMetadata":{"orgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","shortName":"WSO2","dateUpdated":"2026-05-11T09:43:39.282Z"},"title":"HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-74","description":"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-118","descriptions":[{"lang":"en","value":"CAPEC-118 CAPEC-118: HTTP Response Splitting"}]}],"affected":[{"vendor":"WSO2","product":"WSO2 API Manager","versions":[{"status":"unknown","version":"0","lessThan":"4.1.0","versionType":"custom"},{"status":"affected","version":"4.1.0","lessThan":"4.1.0.218","versionType":"custom"},{"status":"affected","version":"4.2.0","lessThan":"4.2.0.164","versionType":"custom"},{"status":"affected","version":"4.3.0","lessThan":"4.3.0.74","versionType":"custom"},{"status":"affected","version":"4.4.0","lessThan":"4.4.0.38","versionType":"custom"},{"status":"affected","version":"4.5.0","lessThan":"4.5.0.20","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"WSO2","product":"WSO2 Universal Gateway","versions":[{"status":"affected","version":"4.5.0","lessThan":"4.5.0.19","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"WSO2","product":"WSO2 Traffic Manager","versions":[{"status":"affected","version":"4.5.0","lessThan":"4.5.0.19","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"WSO2","product":"WSO2 API Control Plane","versions":[{"status":"affected","version":"4.5.0","lessThan":"4.5.0.21","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"WSO2","product":"WSO2 Carbon API Gateway","packageName":"org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.gateway","versions":[{"status":"affected","version":"9.20.74","lessThan":"9.20.74.374","versionType":"custom"},{"status":"affected","version":"9.28.116","lessThan":"9.28.116.363","versionType":"custom"},{"status":"affected","version":"9.29.120","lessThan":"9.29.120.181","versionType":"custom"},{"status":"affected","version":"9.30.67","lessThan":"9.30.67.104","versionType":"custom"},{"status":"affected","version":"9.31.86","lessThan":"9.31.86.64","versionType":"custom"},{"status":"unaffected","version":"9.32.2","lessThanOrEqual":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"WSO2","product":"WSO2 Carbon API Management Implementation","packageName":"org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl","versions":[{"status":"affected","version":"9.20.74","lessThan":"9.20.74.374","versionType":"custom"},{"status":"affected","version":"9.28.116","lessThan":"9.28.116.363","versionType":"custom"},{"status":"affected","version":"9.29.120","lessThan":"9.29.120.181","versionType":"custom"},{"status":"affected","version":"9.30.67","lessThan":"9.30.67.104","versionType":"custom"},{"status":"affected","version":"9.31.86","lessThan":"9.31.86.64","versionType":"custom"},{"status":"unaffected","version":"9.32.2","lessThanOrEqual":"*","versionType":"custom"}],"defaultStatus":"unknown"}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.0","versionEndExcluding":"4.1.0.218"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.0","versionEndExcluding":"4.2.0.164"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3.0","versionEndExcluding":"4.3.0.74"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.0","versionEndExcluding":"4.4.0.38"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.0.20"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.0.19"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.0.19"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.0.21"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"9.20.74","versionEndExcluding":"9.20.74.374"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"9.28.116","versionEndExcluding":"9.28.116.363"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"9.29.120","versionEndExcluding":"9.29.120.181"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"9.30.67","versionEndExcluding":"9.30.67.104"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"9.31.86","versionEndExcluding":"9.31.86.64"},{"vulnerable":false,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"9.32.2","versionEndIncluding":"*"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.20.74","versionEndExcluding":"9.20.74.374"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.28.116","versionEndExcluding":"9.28.116.363"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.29.120","versionEndExcluding":"9.29.120.181"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.30.67","versionEndExcluding":"9.30.67.104"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.31.86","versionEndExcluding":"9.31.86.64"},{"vulnerable":false,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.32.2","versionEndIncluding":"*"}]}]}],"descriptions":[{"lang":"en","value":"In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses.\n\nBy exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.","supportingMedia":[{"type":"text/html","base64":false,"value":"In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses.\n\nBy exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities."}]}],"references":[{"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}],"solutions":[{"lang":"en","value":"Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/#solution","supportingMedia":[{"type":"text/html","base64":false,"value":"<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/#solution</span></a> <br>"}]}],"source":{"advisory":"WSO2-2025-4410","discovery":"INTERNAL"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T12:43:38.026738Z","id":"CVE-2025-8154","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T12:43:47.037Z"}}]}}