CVE-2025-2905: 
Java vulnerability analysis and mitigation

An XML External Entity (XXE) vulnerability (CVE-2025-2905) was identified in the gateway component of WSO2 API Manager 2.0.0 and earlier versions. The vulnerability was discovered on May 5, 2025, and received a Critical CVSS v3.1 base score of 9.1 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. The issue stems from insufficient validation of XML input in crafted URL paths, where user-supplied XML is parsed without appropriate restrictions, enabling external entity resolution (WSO2 Advisory, NVD).

The vulnerability exists due to improper validation of XML input when processing crafted URL paths in the gateway component. The flaw allows XML parsing without sufficient restrictions, enabling XML External Entity (XXE) resolution. The vulnerability has been assigned CWE-611 (Improper Restriction of XML External Entity Reference) and can be exploited by an unauthenticated remote attacker (SecurityOnline, WSO2 Advisory).

The vulnerability can be exploited by an unauthenticated remote attacker to read files from the server's filesystem and perform denial-of-service (DoS) attacks. The extent of file access varies depending on the Java runtime environment: on JDK 7 or early JDK 8, full file contents may be exposed, while on later versions of JDK 8 and newer, only the first line of a file may be readable. Additionally, DoS attacks using malicious payloads like 'Billion Laughs' can cause service disruption (SecurityOnline, WSO2 Advisory).

No new fix will be released for this vulnerability as it was already addressed in the patch provided for WSO2-2016-0151, which resolved both a previously disclosed XSS vulnerability and this XXE vulnerability. Organizations that have already applied the fix for WSO2-2016-0151 require no further action. However, those who haven't applied the earlier fix are strongly advised to do so immediately (WSO2 Advisory).

WSO2 credits the researcher crnkovic for responsibly reporting the vulnerability and collaborating on its resolution. Despite sharing its fix with a previously disclosed Medium severity issue (XSS), WSO2 published a separate advisory to ensure users are aware of the Critical severity (CVSS 9.1) of this XXE vulnerability (WSO2 Advisory).