Arbitrary Code Execution Vulnerability in WSO2 Products
CVE-2025-11093

8.4HIGH

Key Information:

Vendor: Wso2
Status: Wso2 Micro Integrator; Wso2 Api Manager; Wso2 Enterprise Integrator; Wso2 Universal Gateway
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-11093?

A vulnerability has been identified in various WSO2 products that allows authenticated users with elevated privileges to execute arbitrary code. This weakness stems from inadequate restrictions in the GraalJS and NashornJS Script Mediator engines. Although these scripting engines are typically restricted to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, WSO2 API Manager extends access to both administrators and API creators. This could enable trusted but privileged users to carry out unauthorized activities, potentially jeopardizing the execution environment.

Affected Version(s)

org.apache.synapse:synapse-core 2.1.7.wso2v227 < 2.1.7.wso2v227_99

org.apache.synapse:synapse-core 2.1.7.wso2v271 < 2.1.7.wso2v271_88

org.apache.synapse:synapse-core 2.1.7.wso2v143 < 2.1.7.wso2v143_121

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Sep 27, 2025

Credit

crnković

JSON

Wso2

What is CVE-2025-11093?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit