CVE-2025-10713

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wso2:api_control_plane:4.5.0:-::::::
	cpe:2.3:a:wso2:api_manager:3.1.0:::::::*
	cpe:2.3:a:wso2:api_manager:3.2.0:::::::*
	cpe:2.3:a:wso2:api_manager:3.2.1:::::::*
	cpe:2.3:a:wso2:api_manager:4.0.0:::::::*
	cpe:2.3:a:wso2:api_manager:4.1.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.2.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.3.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.4.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.5.0:-::::::
	cpe:2.3:a:wso2:enterprise_integrator:6.6.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.10.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.11.0:::::::*
	cpe:2.3:a:wso2:identity_server:7.1.0:-::::::
	cpe:2.3:a:wso2:open_banking_am:2.0.0:::::::*
	cpe:2.3:a:wso2:open_banking_iam:2.0.0:::::::*
	cpe:2.3:a:wso2:traffic_manager:4.5.0:::::::*
	cpe:2.3:a:wso2:universal_gateway:4.5.0:::::::*

History

04 Dec 2025, 21:07

Type	Values Removed	Values Added
References	~~() https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/ -~~	() https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/ - Vendor Advisory
First Time		Wso2 api Manager Wso2 Wso2 open Banking Iam Wso2 traffic Manager Wso2 open Banking Am Wso2 enterprise Integrator Wso2 api Control Plane Wso2 universal Gateway Wso2 identity Server
CPE		cpe:2.3:a:wso2:api_manager:4.5.0:-:::::: cpe:2.3:a:wso2:identity_server:7.1.0:-:::::: cpe:2.3:a:wso2:api_manager:4.1.0:-:::::: cpe:2.3:a:wso2:api_manager:3.2.0:::::::* cpe:2.3:a:wso2:api_manager:4.4.0:-:::::: cpe:2.3:a:wso2:open_banking_iam:2.0.0:::::::* cpe:2.3:a:wso2:traffic_manager:4.5.0:::::::* cpe:2.3:a:wso2:identity_server:5.10.0:::::::* cpe:2.3:a:wso2:api_manager:4.2.0:-:::::: cpe:2.3:a:wso2:api_manager:4.3.0:-:::::: cpe:2.3:a:wso2:api_manager:4.0.0:::::::* cpe:2.3:a:wso2:api_control_plane:4.5.0:-:::::: cpe:2.3:a:wso2:api_manager:3.2.1:::::::* cpe:2.3:a:wso2:api_manager:3.1.0:::::::* cpe:2.3:a:wso2:enterprise_integrator:6.6.0:::::::* cpe:2.3:a:wso2:universal_gateway:4.5.0:::::::* cpe:2.3:a:wso2:identity_server:5.11.0:::::::* cpe:2.3:a:wso2:open_banking_am:2.0.0:::::::*

05 Nov 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-05 18:15

Updated : 2025-12-04 21:07

NVD link : CVE-2025-10713

Mitre link : CVE-2025-10713

CVE.ORG link : CVE-2025-10713

JSON object : View

Products Affected

wso2

api_control_plane
open_banking_iam
api_manager
open_banking_am
enterprise_integrator
universal_gateway
traffic_manager
identity_server

CWE

CWE-611

Improper Restriction of XML External Entity Reference

6.5 /10