CVE-2025-5605
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
24/10/2025
Last modified:
21/11/2025
Description
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.<br />
<br />
The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page