CVE-2025-2905 CRITICAL

CVE-2025-2905: An XML External Entity (XXE) vulnerability in Multiple WSO2 Products

Vendor Wso2
Product WSO2 API Manager
Weakness CWE-611 · XXE
Published May 5, 2025
Last update October 16, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

What the vulnerability does

01Description

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

Key dates

02Disclosure timeline

May 5, 2025 CVE published
October 16, 2025 Record updated