QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-3125

Back to search

CVE-2025-3125

Published: Nov 5, 2025

Modified: Jan 20, 2026

PUBLISHED

CVSS v3.1

6.7

MEDIUM

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

VendorProductVersions

WSO2

WSO2 Identity Server

unknown
0 - < 5.10.0
affected
5.10.0 - < 5.10.0.360
affected
5.11.0 - < 5.11.0.399
affected
6.0.0 - < 6.0.0.235
affected
6.1.0 - < 6.1.0.230

+2 more versions

WSO2

WSO2 Enterprise Integrator

unknown
0 - < 6.6.0
affected
6.6.0 - < 6.6.0.217

WSO2

WSO2 Open Banking IAM

unknown
0 - < 2.0.0
affected
2.0.0 - < 2.0.0.402

WSO2

WSO2 Identity Server as Key Manager

unknown
0 - < 5.10.0
affected
5.10.0 - < 5.10.0.353

WSO2

WSO2 API Manager

unknown
0 - < 3.2.0
affected
3.2.0 - < 3.2.0.421
affected
3.2.1 - < 3.2.1.41
affected
4.0.0 - < 4.0.0.342
affected
4.1.0 - < 4.1.0.203

+5 more versions

WSO2

WSO2 API Control Plane

affected
4.5.0 - < 4.5.0.2
affected
4.6.0 - < 4.6.0.3

WSO2

WSO2 Universal Gateway

affected
4.5.0 - < 4.5.0.2
affected
4.6.0 - < 4.6.0.3

WSO2

WSO2 Traffic Manager

affected
4.5.0 - < 4.5.0.2
affected
4.6.0 - < 4.6.0.3

WSO2

org.wso2.carbon.commons:org.wso2.carbon.application.upload

affected
4.7.19 - < 4.7.19.7
affected
4.7.32 - < 4.7.32.5
affected
4.7.35 - < 4.7.35.8
affected
4.7.39 - < 4.7.39.1
affected
4.7.49 - < 4.7.49.4

+4 more versions

Weaknesses (CWE)

CWE-434

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now