CVE-2025-5350

Q: What is the severity of CVE-2025-5350?

CVE-2025-5350 has a CVSS score of 5.9 (MEDIUM). This vulnerability allows attackers to perform SSRF attacks and execute reflected XSS in WSO2 products through the deprecated Try-It feature. Only administrative users are affected, as exploitation requires tricking an admin into clicking a malicious link. Successful exploitation could lead to internal network enumeration and UI manipulation in the admin context.

5.9 MEDIUM

Cross-Site Scripting SSRF

📋 TL;DR

This vulnerability allows attackers to perform SSRF attacks and execute reflected XSS in WSO2 products through the deprecated Try-It feature. Only administrative users are affected, as exploitation requires tricking an admin into clicking a malicious link. Successful exploitation could lead to internal network enumeration and UI manipulation in the admin context.

💻 Affected Systems

Products:

WSO2 API Manager
WSO2 Identity Server
WSO2 Enterprise Integrator

Versions: Multiple versions with deprecated Try-It feature

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects administrative users with access to the deprecated Try-It feature

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains admin privileges through XSS, exfiltrates sensitive data, and uses SSRF to pivot to internal systems for lateral movement.

🟠

Likely Case

Attacker uses XSS to manipulate admin UI for phishing or data theft, while SSRF reveals internal service information.

🟢

If Mitigated

Limited impact due to admin-only access requirement and HttpOnly cookies, but still enables UI manipulation and internal reconnaissance.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to trick admin into clicking malicious link

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific product versions

Vendor Advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/

Restart Required: No

Instructions:

1. Review vendor advisory for affected products. 2. Apply recommended patches. 3. Verify Try-It feature is disabled or removed.

🔧 Temporary Workarounds

Disable Try-It Feature

all

Completely disable the deprecated Try-It feature in WSO2 configuration

Edit deployment.toml: [admin.try_it] enabled = false

Restrict Admin Access

all

Limit administrative access to trusted networks and implement MFA

🧯 If You Can't Patch

Disable Try-It feature immediately in all configurations
Implement strict network segmentation to limit SSRF impact
Train administrators to recognize phishing attempts

🔍 How to Verify

Check if Vulnerable:

Check if Try-It feature is enabled and accessible to admin users

Check Version:

Check product version via management console or deployment files

Verify Fix Applied:

Verify Try-It feature is disabled or patched, test with controlled SSRF/XSS payloads

📡 Detection & Monitoring

Log Indicators:

Unusual outbound requests from WSO2 server
Admin accessing Try-It with suspicious URLs

Network Indicators:

WSO2 server making unexpected internal network requests

SIEM Query:

source="wso2" AND (url_contains("try-it") OR outbound_request_to_internal_ip)

📊 Metadata

CVE ID: CVE-2025-5350

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.02% exploit probability (5.8th percentile)

Published: October 24, 2025

Last Updated: November 21, 2025

🔗 References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/ Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Api Control Plane by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Enterprise Integrator by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server As Key Manager by Wso2

Open Banking Am by Wso2

Open Banking Iam by Wso2

Traffic Manager by Wso2

Universal Gateway by Wso2

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Try-It Feature

Restrict Admin Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities