CVE-2025-3125 MEDIUM

CVE-2025-3125: Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution

Vendor Wso2
Product WSO2 Identity Server
Weakness CWE-434 · Unrestricted file upload
Published November 5, 2025
Last update January 20, 2026

CVSS base score

6.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

Key dates

02Disclosure timeline

November 5, 2025 CVE published
January 20, 2026 Record updated