CVE-2025-10503
Received Received - Intake
Reflected XSS in Authentication Endpoint Enables Malicious Redirects

Publication date: 2026-04-29

Last updated on: 2026-05-01

Assigner: WSO2 LLC

Description
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10503
EUVD
EUVD-2025-209586
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wso2 identity_server From 7.1.0 (inc) to 7.1.0.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected Cross-Site Scripting (XSS) flaw found in the authentication endpoint of WSO2 Identity Server version 7.1.0. It occurs because the endpoint accepts user input without enforcing proper validation and output encoding, allowing attackers to inject malicious JavaScript payloads.

Impact Analysis

Exploiting this vulnerability allows an attacker to redirect your browser to malicious websites, modify the user interface of the affected web page, or extract information from your browser.

However, session hijacking is not possible because session-related cookies are protected with the httpOnly flag, preventing access via client-side scripts.

Detection Guidance

This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the authentication endpoint of WSO2 Identity Server 7.1.0, caused by improper output encoding of user-supplied input.

To detect this vulnerability on your system, you can test the authentication endpoint by injecting typical XSS payloads in input fields or URL parameters and observing if the payload is reflected unencoded in the response.

Common commands or tools to assist detection include using curl or browser-based tools to send requests with XSS payloads such as <script>alert(1)</script> and checking the response for unencoded script tags.

  • Example curl command to test the authentication endpoint: curl -i -X GET 'https://your-wso2-server/auth?input=<script>alert(1)</script>'
  • Use browser developer tools or intercepting proxies (e.g., Burp Suite) to inject and monitor reflected payloads in responses.
Executive Summary

This vulnerability is a reflected Cross-Site Scripting (XSS) flaw found in the authentication endpoint of WSO2 Identity Server version 7.1.0. It occurs because the endpoint accepts user input without enforcing proper validation and output encoding, allowing attackers to inject malicious JavaScript payloads.

When exploited, this flaw enables attackers to execute malicious scripts in the context of the user's browser, which can lead to actions such as redirecting the user to a malicious website, modifying the web page's user interface, or extracting information from the browser.

Impact Analysis

Exploitation of this vulnerability can allow an attacker to perform several harmful actions including redirecting your browser to malicious websites, altering the appearance or behavior of the web page you are using, and retrieving sensitive information from your browser.

However, session hijacking is not possible through this vulnerability because session-related cookies are protected with the httpOnly flag, which prevents client-side scripts from accessing them.

Mitigation Strategies

To mitigate the reflected Cross-Site Scripting (XSS) vulnerability in WSO2 Identity Server version 7.1.0, you should:

  • Apply the publicly available fix from the WSO2 GitHub repository at https://github.com/wso2/identity-apps/pull/8295 if you are a community user.
  • If applying the fix is not feasible, upgrade to the latest unaffected product version.
  • Support subscription holders should update WSO2 Identity Server 7.1.0 to update level 28 or higher.
Mitigation Strategies

Immediate mitigation steps include applying the publicly available fix from the WSO2 GitHub repository or upgrading to the latest unaffected version of WSO2 Identity Server.

  • Community users should apply the fix available at https://github.com/wso2/identity-apps/pull/8295.
  • Support subscription holders should update WSO2 Identity Server 7.1.0 to update level 28 or higher.

These steps will ensure proper output encoding is enforced, preventing malicious JavaScript injection via the authentication endpoint.

Compliance Impact

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart