SSRF and XSS Vulnerabilities in WSO2 Products Affecting Administrative Users
CVE-2025-5350

5.9MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Wso2 Enterprise Integrator; Wso2 Api Manager; Wso2 Universal Gateway
Vendor: CVE Published:; 24 October 2025

What is CVE-2025-5350?

Multiple WSO2 products contain vulnerabilities related to server-side request forgery (SSRF) and reflected cross-site scripting (XSS) through the deprecated Try-It feature. This feature, accessible only to administrative users, allows unvalidated user-supplied URLs, enabling attackers to exploit the system by tricking administrators into clicking crafted links. This results in the server fetching malicious content, which is reflected in the admin's browser, allowing for harmful JavaScript execution. Although session cookies are secured with the HttpOnly flag, the potential for data exfiltration and manipulation poses a serious security threat. In addition, the SSRF may permit privileged users to probe internal services, risking internal network enumeration if the targeted endpoints are reachable.

Affected Version(s)

org.wso2.carbon:org.wso2.carbon.ui 4.5.3 < 4.5.3.41

org.wso2.carbon:org.wso2.carbon.ui 4.6.0 < 4.6.0.1087

org.wso2.carbon:org.wso2.carbon.ui 4.6.1 < 4.6.1.151

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 24, 2025
Vulnerability Reserved
May 30, 2025

Credit

Noël MACCARY

JSON