CVE-2025-2905
published 2025-05-05CVE-2025-2905: Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE)…
PriorityP356critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
1.15%
62.8th percentile
Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_rpm-ostree_2024.4-3_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kernel_5.15.70.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_kernel_5.10.144.1-1_on_cbl_mariner_1.0 | — | — |
| wso2 | api_manager | <= 2.0.0 | — |
| wso2 | wso2_api_manager | < 2.0.0 | 2.0.0 |
| wso2 | wso2_api_manager | — | — |
| wso2 | wso2_api_manager | — | — |
| wso2 | wso2_api_manager | — | — |
| wso2 | wso2_api_manager | — | — |
| wso2 | wso2_api_manager | — | — |
| wso2 | wso2_api_manager | — | — |
| wso2 | wso2_api_manager | >= 4.0.0 < 4.0.0.311 | 4.0.0.311 |
| wso2 | wso2_api_manager | >= 4.1.0 < 4.1.0.152 | 4.1.0.152 |
| wso2 | wso2_api_manager | >= 4.2.0 < 4.2.0.122 | 4.2.0.122 |
| wso2 | wso2_enterprise_integrator | — | — |
| wso2 | wso2_enterprise_integrator | — | — |
| wso2 | wso2_enterprise_integrator | — | — |
| wso2 | wso2_enterprise_integrator | — | — |
| wso2 | wso2_enterprise_integrator | — | — |
| wso2 | wso2_enterprise_integrator | — | — |
| wso2 | wso2_enterprise_integrator | — | — |
| wso2 | wso2_enterprise_integrator | — | — |
| wso2 | wso2_enterprise_service_bus | — | — |
| wso2 | wso2_enterprise_service_bus | — | — |
| wso2 | wso2_micro_integrator | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vendor_msrc6.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
WSO2 API Manager XML External Entity (XXE) vulnerability
ghsa·2025-05-05
CVE-2025-2905 [CRITICAL] CWE-611 WSO2 API Manager XML External Entity (XXE) vulnerability
WSO2 API Manager XML External Entity (XXE) vulnerability
An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.
This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks.
* On systems running JDK 7 or early JDK 8, full file contents may be exposed.
* On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior.
* DoS attacks such as "Billion Laughs" payloads can cause service disruption.
OSV
WSO2 API Manager XML External Entity (XXE) vulnerability
osv·2025-05-05
CVE-2025-2905 [CRITICAL] WSO2 API Manager XML External Entity (XXE) vulnerability
WSO2 API Manager XML External Entity (XXE) vulnerability
An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.
This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks.
* On systems running JDK 7 or early JDK 8, full file contents may be exposed.
* On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior.
* DoS attacks such as "Billion Laughs" payloads can cause service disruption.
Microsoft
Rpm-ostree: world-readable /etc/shadow file
vendor_msrc·2024-04-09·CVSS 6.2
CVE-2024-2905 [MEDIUM] CWE-732 Rpm-ostree: world-readable /etc/shadow file
Rpm-ostree: world-readable /etc/shadow file
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft
Microsoft
An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a loc
vendor_msrc·2022-09-13·CVSS 5.5
CVE-2022-2905 [MEDIUM] CWE-125 An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a loc
An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additiona
Suricata
ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M3
suricata·2025-11-10·CVSS 9.1
CVE-2025-2905 [CRITICAL] ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M3
ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M3
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M3"; flow:established,to_server; http.uri; content:"/services/WorkflowCallbackService"; fast_pattern; startswith; http.request_body; content:"ns:resumeEvent"; content:"<![CDATA"; distance:0; http.method; content:"POST"; reference:url,crnkovic.dev/wso2-404-to-arbitrary-file-read/; reference:cve,2025-2905; classtype:web-application-attack; sid:2065718; rev:1; metadata:affected_product WSO2, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_10, cve CVE_2025_2905, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signatu
Suricata
ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M2
suricata·2025-11-10·CVSS 9.1
CVE-2025-2905 [CRITICAL] ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M2
ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M2"; flow:established,to_server; http.request_body; content:"payloadFactory"; fast_pattern; content:"|3c 21|DOCTYPE"; content:"application/json"; http.method; content:"POST"; reference:url,crnkovic.dev/wso2-404-to-arbitrary-file-read/; reference:cve,2025-2905; classtype:web-application-attack; sid:2065717; rev:1; metadata:affected_product WSO2, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_10, cve CVE_2025_2905, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Descripti
Suricata
ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M1
suricata·2025-11-10·CVSS 9.1
CVE-2025-2905 [CRITICAL] ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M1
ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M1"; flow:established,to_server; http.uri; content:"|2f 3c 21|DOCTYPE|09|"; fast_pattern; startswith; reference:url,crnkovic.dev/wso2-404-to-arbitrary-file-read/; reference:cve,2025-2905; classtype:web-application-attack; sid:2065716; rev:1; metadata:affected_product WSO2, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_10, cve CVE_2025_2905, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_10, mitre_tactic_id
No public exploits indexed.
No writeups or analysis indexed.
2025-05-05
Published