How severe is CVE-2025-2905?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2025-2905?

This is classified as CWE-611, which is a common weakness in software security.

CVE-2025-2905 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption.

Related Vulnerabilities

CVE-2012-2239

CRITICAL

CVSS:9.1(Critical)

Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading...

CWE-6112012

CVE-2012-3363

CRITICAL

CVSS:9.1(Critical)

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connect...

CWE-6112012

CVE-2013-4333

CRITICAL

CVSS:9.1(Critical)

OpenPNE 3 versions 3.8.7, 3.6.11, 3.4.21.1, 3.2.7.6, 3.0.8.5 has an External Entity Injection Vulnerability

CWE-6112013

CVE-2014-0931

CRITICAL

CVSS:9.1(Critical)

Multiple XML external entity (XXE) vulnerabilities in the (1) CCRC WAN Server / CM Server, (2) Perl CC/CQ integration trigger scripts, (3) CMAPI Java interface, (4) ClearCase remote client, and (5) CM...

CWE-6112014

CVE-2016-2908

CRITICAL

CVSS:9.1(Critical)

IBM Single Sign On for Bluemix could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker ...

CWE-6112016

CVE-2016-3974

CRITICAL

CVSS:9.1(Critical)

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access ...

CWE-6112016