Reflected Cross-Site Scripting Vulnerability in WSO2 Identity Server
CVE-2025-0209

6.1MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-0209?

A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. This flaw allows a malicious actor to inject a crafted JavaScript payload, which is then reflected in the server's response, enabling execution in the victim's browser. As a result, attackers could redirect users to malicious websites, alter the user interface, or extract data from the browser. The risk of session hijacking is somewhat mitigated, as session-related sensitive cookies are secured with the httpOnly flag.

Affected Version(s)

WSO2 Identity Server 7.0.0 < 7.0.0.87

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Jan 3, 2025

Credit

Western

JSON