Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader...

6.7 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).

This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

Basic Information

ID CVE-2025-3125

Source WSO2

Published Nov 5, 2025 at 14:49

Modified Nov 5, 2025 at 18:59

Affected Product

Vendor WSO2

Product WSO2 Identity Server

Affected Versions WSO2 WSO2 Identity Server 5.10.0
WSO2 WSO2 Identity Server 5.11.0
WSO2 WSO2 Identity Server 6.0.0
WSO2 WSO2 Identity Server 6.1.0
WSO2 WSO2 Identity Server 7.0.0
WSO2 WSO2 Identity Server 7.1.0
WSO2 WSO2 Enterprise Integrator 6.6.0
WSO2 WSO2 Open Banking IAM 2.0.0
WSO2 WSO2 Identity Server as Key Manager 5.10.0
WSO2 WSO2 API Manager 3.2.0
WSO2 WSO2 API Manager 3.2.1
WSO2 WSO2 API Manager 4.0.0
WSO2 WSO2 API Manager 4.1.0
WSO2 WSO2 API Manager 4.2.0
WSO2 WSO2 API Manager 4.3.0
WSO2 WSO2 API Manager 4.4.0
WSO2 WSO2 API Manager 4.5.0
WSO2 WSO2 API Control Plane 4.5.0
WSO2 WSO2 Universal Gateway 4.5.0
WSO2 WSO2 Traffic Manager 4.5.0
WSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.19
WSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.32
WSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.35
WSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.39
WSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.49
WSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.52
WSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.10.13

CWE Classification

CWE-434

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2025/WSO2-2025-3961/

{
    "lastseen": "",
    "description": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).\n\nThis functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.",
    "published": "2025-11-05T14:49:44.597Z",
    "modified": "2025-11-05T18:59:01.426Z",
    "type": "cve",
    "title": "Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3961/",
    "id": "CVE-2025-3125",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "WSO2 WSO2 Identity Server 5.10.0\nWSO2 WSO2 Identity Server 5.11.0\nWSO2 WSO2 Identity Server 6.0.0\nWSO2 WSO2 Identity Server 6.1.0\nWSO2 WSO2 Identity Server 7.0.0\nWSO2 WSO2 Identity Server 7.1.0\nWSO2 WSO2 Enterprise Integrator 6.6.0\nWSO2 WSO2 Open Banking IAM 2.0.0\nWSO2 WSO2 Identity Server as Key Manager 5.10.0\nWSO2 WSO2 API Manager 3.2.0\nWSO2 WSO2 API Manager 3.2.1\nWSO2 WSO2 API Manager 4.0.0\nWSO2 WSO2 API Manager 4.1.0\nWSO2 WSO2 API Manager 4.2.0\nWSO2 WSO2 API Manager 4.3.0\nWSO2 WSO2 API Manager 4.4.0\nWSO2 WSO2 API Manager 4.5.0\nWSO2 WSO2 API Control Plane 4.5.0\nWSO2 WSO2 Universal Gateway 4.5.0\nWSO2 WSO2 Traffic Manager 4.5.0\nWSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.19\nWSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.32\nWSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.35\nWSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.39\nWSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.49\nWSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.7.52\nWSO2 org.wso2.carbon.commons:org.wso2.carbon.application.upload 4.10.13",
    "sourceHref": "",
    "cvss": {
        "score": 6.7,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 Identity Server",
    "version": "0",
    "vendor": "WSO2",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution_CVE-2025-3125