Arbitrary File Upload Vulnerability in WSO2 Products
CVE-2025-3125

6.7MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Wso2 Enterprise Integrator; Wso2 Open Banking Iam; Wso2 Identity Server As Key Manager
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-3125?

An arbitrary file upload vulnerability exists in various WSO2 products due to inadequate input validation within the CarbonAppUploader admin service endpoint. An authenticated attacker possessing sufficient privileges can exploit this weakness to upload a malicious file to a user-defined location on the server. This scenario may result in unauthorized remote code execution, depending on the nature of the uploaded file. By default, this functionality is limited to administrator users, making the successful execution of this attack contingent upon obtaining valid administrative credentials.

Affected Version(s)

org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.19 < 4.7.19.7

org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.32 < 4.7.32.5

org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.35 < 4.7.35.8

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Apr 2, 2025

Credit

Danh Nguyen (k4it0) from VIB Pentest Team

JSON

Wso2

What is CVE-2025-3125?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit