What is CVE-2025-11093?

CVE-2025-11093 is a high-severity vulnerability in Wso2 Org.apache.synapse:synapse-core, classified under Code Injection. CVSS score: 8.4/10. Published 2025-11-05.

How severe is CVE-2025-11093?

High severity. CVSS v3 base score is 8.4 out of 10.

RCE in Wso2 Org.apache.synapse:synapse-core

CVE-2025-11093

An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code withi…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (33.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.4 (High). Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Wso2 Org.apache.synapse:synapse-core — versions 2.1.7.wso2v227, 2.1.7.wso2v271, 2.1.7.wso2v143
Wso2 Org.apache.synapse:synapse-extensions — versions 2.1.7.wso2v227, 2.1.7.wso2v271, 2.1.7.wso2v143
Wso2 Api Control Plane — versions 4.5.0
Wso2 Api Manager — versions 0, 3.1.0, 3.2.0
Wso2 Enterprise Integrator — versions 0, 6.6.0
Wso2 Identity Server As Key Manager — versions 0, 5.10.0
Wso2 Micro Integrator — versions 0, 4.0.0, 4.1.0
Wso2 Open Banking Am — versions 0, 2.0.0
Wso2 Open Banking Iam — versions 0, 2.0.0
Wso2 Traffic Manager — versions 4.5.0

Weakness classification (CWE)

CWE-94 — Code Injection

References

security.docs.wso2.com/en/latest/security-announcements/security-advisories/202… (vendor-advisory)

Frequently asked questions

What is CVE-2025-11093?: CVE-2025-11093 is a high-severity vulnerability in Wso2 Org.apache.synapse:synapse-core, classified under Code Injection. CVSS score: 8.4/10. Published 2025-11-05.
How severe is CVE-2025-11093?: High severity. CVSS v3 base score is 8.4 out of 10.