Ddos 
A critical security vulnerability has been identified in WSO2 API Manager 2.0.0 and earlier, posing a significant risk to affected deployments. The vulnerability, tracked as CVE-2025-2905 (CVSS 9.1), is an XML External Entity (XXE) vulnerability within the gateway component.
According to the advisory, the issue stems from improper validation of XML input when processing crafted URL paths. As WSO2 notes, “user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution.” This flaw allows malicious actors to exploit the XML parser to interact with local resources on the server.
The consequences of a successful XXE attack can be severe:
- Arbitrary File Access: Attackers can potentially read files from the server’s filesystem. The degree of access varies depending on the Java runtime:
- On JDK 7 or early JDK 8, full file contents may be exposed.
- On later versions of JDK 8 and newer, only the first line of a file is accessible.
- Denial-of-Service (DoS): Malicious XML payloads can trigger resource exhaustion, rendering services unavailable.
WSO2 credits the researcher crnkovic for responsibly reporting the vulnerability and collaborating on its resolution.
While this vulnerability is critical, no new patch will be released. Instead, WSO2 confirms that it was already addressed in a prior advisory: WSO2-2016-0151. That patch resolved a previously reported XSS vulnerability and incidentally mitigated CVE-2025-2905 as well.
For users who have not yet applied the 2016 patch, immediate remediation is strongly advised, as it addresses both the XSS and XXE vulnerabilities.
Related Posts:
- High-Severity XXE Vulnerability Found in NAKIVO Backup & Replication
- Apache Solr affected by XML External Entity attack
- Apache CloudStack SAML Single Sign-On XXE Vulnerability
- CVE-2024-55875 (CVSS 9.8): Critical XXE Vulnerability Found in http4k Toolkit
- CVE-2024-40896 (CVSS 9.1): Critical XXE Vulnerability Discovered in libxml2
Donate