AI description
CVE-2025-2905 is an XML External Entity (XXE) vulnerability found in WSO2 API Manager 2.0.0 and earlier. The vulnerability exists in the gateway component due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. An unauthenticated remote attacker can exploit this vulnerability to read files from the server's filesystem or perform denial-of-service (DoS) attacks. The extent of file access depends on the Java runtime environment; full file contents may be exposed on JDK 7 or early JDK 8, while later versions of JDK 8 and newer may only expose the first line of a file. A patch has been released under WSO2-2016-0151, which also resolves a previously disclosed XSS vulnerability.
- Description
- An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption.
- Source
- ed10eef1-636d-4fbe-9993-6890dfa878f8
- NVD status
- Awaiting Analysis
- CNA Tags
- unsupported-when-assigned
CVSS 3.1
- Type
- Secondary
- Base score
- 9.1
- Impact score
- 5.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
- Severity
- CRITICAL
- ed10eef1-636d-4fbe-9993-6890dfa878f8
- CWE-611
- Hype score
- Not currently trending
CVE-2025-2905 (CVSS:9.1, CRITICAL) is Awaiting Analysis. An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient valid..https://t.co/UgRjfDOKyx #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
10 May 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical XXE Vulnerability – WSO2 API Manager (CVE-2025-2905) 🚨 A newly disclosed XML External Entity (XXE) flaw affects WSO2 API Manager v2.0.0 and earlier, carrying a CVSS score of 9.1. Impact: Remote, unauthenticated attackers can exploit this to:
@modat_magnify
6 May 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-2905 (CVSS 9.1): Critical XXE Vulnerability Found in WSO2 API Manager https://t.co/smlMZvx9s9
@Dinosn
6 May 2025
1837 Impressions
8 Retweets
13 Likes
3 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-2905 (CVSS 9.1): Critical XXE Vulnerability Found in WSO2 API https://t.co/ipBKp6VD0O affects versions 2.0.0 and earlier. 📊3.3K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/LMAKFrh4xq 👇Query HUNTER : https://
@HunterMapping
6 May 2025
4065 Impressions
25 Retweets
73 Likes
28 Bookmarks
2 Replies
0 Quotes
WSO2 API Manager 2.0.0以前のバージョンに深刻なXML外部実体(XXE)脆弱性(CVE-2025-2905)が存在する。これはゲートウェイコンポーネントにおいてXML入力の検証が不十分なため、攻撃者がサーバ内のローカルリソー
@yousukezan
6 May 2025
1098 Impressions
0 Retweets
6 Likes
1 Bookmark
1 Reply
0 Quotes
A critical #XXE vulnerability (CVE-2025-2905) in WSO2 API Manager could expose sensitive files or cause DoS attacks. Patch already exists—but have you applied it? ⚠️ Details: https://t.co/pB30yhTeBx #CyberSecurity #WSO2 #InfoSec
@threatsbank
5 May 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-2905 ⚠️🔴 CRITICAL (9.1) 🏢 WSO2 - WSO2 API Manager 🏗️ 0 🔗 https://t.co/ZPA6OhwDaU #CyberCron #VulnAlert #InfoSec https://t.co/wFFlYKPbJy
@cybercronai
5 May 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-2905 An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-su… https://t.co/69Vlng041U
@CVEnew
5 May 2025
573 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-2905: CRITICAL] WSO2 API Manager's gateway component is exposed to an XXE vulnerability, allowing attackers to access server files or conduct DoS attacks. JDK version affects the extent of exploit.#cve,CVE-2025-2905,#cybersecurity https://t.co/uY2ZRrrT0i https://t.co/DT
@CveFindCom
5 May 2025
99 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes