CVE-2025-5350— SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-5350
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products
Source: NVD (National Vulnerability Database)
Vulnerability Description
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context. By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk. Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WSO2 API Manager 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WSO2 API Manager是美国WSO2公司的一套API生命周期管理解决方案。 WSO2 API Manager存在安全漏洞,该漏洞源于Try-It功能未正确验证用户提供的URL,可能导致服务端请求伪造和反射型跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| WSO2 | WSO2 Identity Server | 5.10.0 ~ 5.10.0.359 | - | |
| WSO2 | WSO2 Enterprise Integrator | 6.6.0 ~ 6.6.0.218 | - | |
| WSO2 | WSO2 API Manager | 3.1.0 ~ 3.1.0.332 | - | |
| WSO2 | WSO2 Universal Gateway | 4.5.0 ~ 4.5.0.7 | - | |
| WSO2 | WSO2 Traffic Manager | 4.5.0 ~ 4.5.0.7 | - | |
| WSO2 | WSO2 API Control Plane | 4.5.0 ~ 4.5.0.7 | - | |
| WSO2 | WSO2 Open Banking AM | 2.0.0 ~ 2.0.0.380 | - | |
| WSO2 | WSO2 Open Banking IAM | 2.0.0 ~ 2.0.0.401 | - | |
| WSO2 | WSO2 Identity Server as Key Manager | 5.10.0 ~ 5.10.0.352 | - | |
| WSO2 | org.wso2.carbon:org.wso2.carbon.ui | 4.5.3 ~ 4.5.3.41 | - |
II. Public POCs for CVE-2025-5350
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | WSO2 products contain SSRF and reflected XSS vulnerabilities in the deprecated Try-It feature accessible only to administrative users, caused by improper URL validation and direct content reflection, letting attackers trick admins into executing arbitrary JavaScript and querying internal services. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-5350.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-5350
请登录查看更多情报信息。
- Security Advisory WSO2-2025-4124/CVE-2025-5350vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-5350
IV. Related Vulnerabilities
Same product: WSO2 Identity Server
- CVE-2025-10503
Reflected Cross-Site Scripting via Authentication Endpoint i - CVE-2025-12624
Improper Token Invalidation in WSO2 Identity Server Allows A - CVE-2025-12107
Potential authenticated Server-Side Template Injection (SSTI - CVE-2025-5770
Reflected Cross-Site Scripting (XSS) in Authentication Endpo - CVE-2025-3125
Authenticated Arbitrary File Upload in Multiple WSO2 Product
Same vendor: WSO2
- CVE-2025-10503
Reflected Cross-Site Scripting via Authentication Endpoint i - CVE-2025-12624
Improper Token Invalidation in WSO2 Identity Server Allows A - CVE-2025-6024
Cross-Site Scripting via Authentication Endpoint in Multiple - CVE-2024-10242
Reflected Cross-Site Scripting via Authentication Endpoint i - CVE-2024-8010
XML External Entity Injection via Publisher in WSO2 API Mana
Same weakness: CWE-918
- CVE-2026-8193
Akaunting Invoice PDF Rendering dompdf.php server-side reque - CVE-2026-44313
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creat - CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processe - CVE-2026-42346
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validatio - CVE-2026-42339
New API: SSRF Filter Bypass via 0.0.0.0
V. Comments for CVE-2025-5350
No comments yet