File Upload Flaw in WSO2 Products Exposes Systems to Exploitation
CVE-2025-10907

8.4HIGH

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager; Wso2 Open Banking Iam; Wso2 Open Banking Am; Wso2 Api Control Plane
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-10907?

A vulnerability exists in multiple WSO2 products that allows a malicious actor with administrative privileges to upload specially crafted files to user-controlled locations, enabling potential remote code execution on the server. This flaw arises from insufficient validation of the uploaded content and its intended destination within the SOAP admin services framework. While primarily accessible to users with admin access, the ramifications can pose serious security risks if exploited, highlighting the need for stringent file upload security measures.

Affected Version(s)

org.apache.ws.commons.axiom.wso2:axiom 1.2.11 < 1.2.11.wso2v17_5

org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt 0.14.13 < 0.14.13.8

org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt 0.14.16 < 0.14.16.1

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Sep 24, 2025

Credit

crnković

JSON

Wso2

What is CVE-2025-10907?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit