CVE-2025-8154
HTTP Header Injection in Webhook API
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: WSO2 LLC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_control_plane | 4.5.0 |
| wso2 | api_manager | 4.5.0 |
| wso2 | traffic_manager | 4.5.0 |
| wso2 | universal_gateway | 4.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a malicious actor to inject or overwrite arbitrary HTTP response headers, which can lead to the injection of sensitive information such as cookie values and potentially enable session hijacking or other malicious activities.
Such security impacts could undermine the protection of personal and sensitive data, potentially affecting compliance with standards and regulations like GDPR and HIPAA that require safeguarding user data and ensuring secure handling of information.
However, the provided information does not explicitly state the direct effects on compliance with these standards.
Can you explain this vulnerability to me?
CVE-2025-8154 is a medium-severity vulnerability in multiple WSO2 products where the Webhook API accepts user-supplied input for HTTP request headers without proper validation or sanitization.
This flaw allows an attacker to inject or overwrite arbitrary HTTP response headers, which can manipulate how browsers cache content, alter security-related headers, or inject sensitive information such as cookie values.
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to several adverse effects including manipulation of browser caching behavior, modification of security headers, and injection of sensitive information like cookies.
These impacts may enable session hijacking or other malicious activities, potentially compromising the security and integrity of affected systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-8154, WSO2 recommends applying public fixes available on GitHub or updating to the latest unaffected versions of the affected products.
- Apply the official patches or updates provided by WSO2 for API Control Plane, API Manager, Traffic Manager, and Universal Gateway.
- Upgrade to versions later than 4.5.0 or the specific update levels provided for support subscription holders.