CVE-2025-10713
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
| Software | From | Fixed in |
|---|---|---|
org.wso2.carbon.mediation / org.wso2.carbon.localentry
|
- | - |
| wso2 / api_control_plane | 4.5.0 | 4.5.0.x |
| wso2 / api_manager | 3.1.0 | 3.1.0.x |
| wso2 / api_manager | 3.2.0 | 3.2.0.x |
| wso2 / api_manager | 3.2.1 | 3.2.1.x |
| wso2 / api_manager | 4.0.0 | 4.0.0.x |
| wso2 / api_manager | 4.1.0 | 4.1.0.x |
| wso2 / api_manager | 4.2.0 | 4.2.0.x |
| wso2 / api_manager | 4.3.0 | 4.3.0.x |
| wso2 / api_manager | 4.4.0 | 4.4.0.x |
| wso2 / api_manager | 4.5.0 | 4.5.0.x |
| wso2 / enterprise_integrator | 6.6.0 | 6.6.0.x |
| wso2 / identity_server | 5.10.0 | 5.10.0.x |
| wso2 / identity_server | 5.11.0 | 5.11.0.x |
| wso2 / identity_server | 7.1.0 | 7.1.0.x |
| wso2 / open_banking_am | 2.0.0 | 2.0.0.x |
| wso2 / open_banking_iam | 2.0.0 | 2.0.0.x |
| wso2 / traffic_manager | 4.5.0 | 4.5.0.x |
| wso2 / universal_gateway | 4.5.0 | 4.5.0.x |
- https://github.com/wso2/carbon-mediation/commit/b995b2f1db96a4697791f0202cc8713f15640fd5
- https://github.com/wso2/carbon-mediation/pull/1784
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime