What is CVE-2025-2905?

CVE-2025-2905 is a critical-severity vulnerability in Wso2 Api Manager, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 9.1/10. Published 2025-05-05.

How severe is CVE-2025-2905?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Is CVE-2025-2905 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XXE in Wso2 Api Manager

CVE-2025-2905

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.001 (32.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H.

Affected products

Wso2 Api Manager — versions 0, 2.1.0, 2.2.0
Wso2 Enterprise Integrator — versions 0, 6.0.0, 6.1.0
Wso2 Enterprise Service Bus — versions 0, 4.9.0, 5.0.0
Wso2 Micro Integrator — versions 0, 1.0.0, 1.1.0
Wso2 Open Banking Am — versions 0, 1.5.0

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

Public proof-of-concept exploits

tanjiti/sec_

References

security.docs.wso2.com/en/latest/security-announcements/security-advisories/202… (vendor-advisory)

Frequently asked questions

What is CVE-2025-2905?: CVE-2025-2905 is a critical-severity vulnerability in Wso2 Api Manager, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 9.1/10. Published 2025-05-05.
How severe is CVE-2025-2905?: Critical severity. CVSS v3 base score is 9.1 out of 10.
Is CVE-2025-2905 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.