CVE-2025-8154
Analyzed Analyzed - Analysis Complete
HTTP Header Injection in Webhook API

Publication date: 2026-05-11

Last updated on: 2026-05-27

Assigner: WSO2 LLC

Description
In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-27
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2025-8154
EUVD
EUVD-2025-209758
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
wso2 api_control_plane From 4.5.0 (inc) to 4.5.0.21 (exc)
wso2 api_manager From 4.1.0 (inc) to 4.1.0.218 (exc)
wso2 api_manager From 4.2.0 (inc) to 4.2.0.164 (exc)
wso2 api_manager From 4.3.0 (inc) to 4.3.0.74 (exc)
wso2 api_manager From 4.4.0 (inc) to 4.4.0.38 (exc)
wso2 api_manager From 4.5.0 (inc) to 4.5.0.20 (exc)
wso2 traffic_manager From 4.5.0 (inc) to 4.5.0.19 (exc)
wso2 universal_gateway From 4.5.0 (inc) to 4.5.0.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-8154 is a medium-severity vulnerability in multiple WSO2 products where the Webhook API accepts user-supplied input for HTTP request headers without proper validation or sanitization.

This flaw allows an attacker to inject or overwrite arbitrary HTTP response headers, which can manipulate how browsers cache content, alter security-related headers, or inject sensitive information such as cookie values.

Impact Analysis

Exploiting this vulnerability can lead to several adverse effects including manipulation of browser caching behavior, modification of security headers, and injection of sensitive information like cookies.

These impacts may enable session hijacking or other malicious activities, potentially compromising the security and integrity of affected systems.

Mitigation Strategies

To mitigate CVE-2025-8154, WSO2 recommends applying public fixes available on GitHub or updating to the latest unaffected versions of the affected products.

  • Apply the official patches or updates provided by WSO2 for API Control Plane, API Manager, Traffic Manager, and Universal Gateway.
  • Upgrade to versions later than 4.5.0 or the specific update levels provided for support subscription holders.
Compliance Impact

This vulnerability allows a malicious actor to inject or overwrite arbitrary HTTP response headers, which can lead to the injection of sensitive information such as cookie values and potentially enable session hijacking or other malicious activities.

Such security impacts could undermine the protection of personal and sensitive data, potentially affecting compliance with standards and regulations like GDPR and HIPAA that require safeguarding user data and ensuring secure handling of information.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8154. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart