Researcher Details Critical Authentication Bypasses in WSO2 API Manager and Identity Server

Security researcher Crnkovic has disclosed three critical vulnerabilities — CVE-2025-9152, CVE-2025-10611, and CVE-2025-9804 — in WSO2 API Manager and WSO2 Identity Server, each scoring 9.8 on the CVSS scale. These flaws allow unauthenticated remote attackers to gain administrator privileges and, in some cases, execute arbitrary code.

The vulnerabilities stem from WSO2’s flawed regex-based access control configuration, where permissions and endpoint protection rules are defined separately from the application logic. This architectural separation, combined with case sensitivity errors and improper normalization of request paths, leads to complete authentication bypass across multiple products.

The first vulnerability, CVE-2025-9152, affects WSO2 API Manager 3.2.0 and later and is caused by missing and poorly written regular expressions in the access control configuration file (identity.xml).

Crnkovic explains that “WSO2 API Manager implements OAuth 2.0 for authentication. The settings around OAuth clients are managed with a super-sensitive internal API that lives under /keymanager-operations/.”

He continues, “Unfortunately, the regular expressions in the configuration document fail to capture all the important endpoints under /keymanager-operations/. To my horror, I noticed some endpoints aren’t included at all, and others can have their regular expressions bypassed with a simple trailing slash.”

The most serious case involves the endpoint /keymanager-operations/dcr/register/<client_id>, which leaks OAuth client secrets and allows attackers to register or modify clients without authentication.

Crnkovic warns, “This flaw allows an unauthenticated attacker to gain total administrative access in just a few requests.”

Once the attacker obtains an administrative OAuth token, they can modify user passwords, create new admin accounts, or escalate to remote code execution by exploiting existing admin-only vulnerabilities.

The second vulnerability, CVE-2025-10611, actually covers two distinct bypass mechanisms — one based on HTTP method case sensitivity, and another exploiting path normalization flaws in WSO2’s authentication logic.

Crnkovic details, “A <Resource http-method=”POST”> only matches on all-caps POST. If you whisper the method in lowercase, equals() gives false. This allows an attacker to provide an alternatively cased method, e.g., Post versus POST, to totally bypass the imposed restriction.”

By sending an HTTP request like Post /keymanager-operations/dcr/register, an attacker can bypass the rule that normally requires authentication, yet the API still processes the request as valid — resulting in a full authentication bypass without any regex manipulation.

The second half of CVE-2025-10611 targets the WSO2 Identity Server. It abuses an insecure regular expression that incorrectly marks paths as “public.” Crnkovic writes, “The entry saying that .well-known/openid-configuration doesn’t need authentication makes sense. What doesn’t make as much sense, however, is the (.*) at the beginning of that expression.”

This overly broad pattern allows unauthenticated access to sensitive endpoints like /scim2/Users when combined with URL encoding and Java’s normalization behavior.

Crnkovic demonstrates the exploit with:

POST /scim2/Users/;%2F.well-known%2Fopenid-configuration HTTP/1.1

The third vulnerability, CVE-2025-9804, impacts older versions of WSO2 API Manager (≤ 3.1.0) and resides in the SOAP-based APIKeyMgtSubscriberService endpoint, a predecessor of /keymanager-operations/.

Crnkovic explains, “You can’t access APIKeyMgtSubscriberService without valid credentials; you need to be a user. However, you don’t need any special privileges beyond that: you only need the ability to log in. This allows low-level users to gain administrative access in a procedure almost identical to CVE-2025-9152.”

Because many API Manager installations permit self-signup, this vulnerability effectively lets any unauthenticated attacker create a user and elevate themselves to admin, leading to full compromise.

WSO2 has patched the issues, but the researcher warns that regex-based access control remains a high-risk pattern — one that defenders and developers alike should treat with caution.

Related Posts:

• Critical WSO2 Flaw: Unauthenticated Account Takeover Risk (CVSS 9.8)
• WSO2 Fixes Two Critical Access Control Vulnerabilities (CVE-2025-9804, CVE-2025-10611) Affecting API Manager and Identity Server
• CVE-2025-2905 (CVSS 9.1): Critical XXE Vulnerability Found in WSO2 API Manager