CVE-2025-11093

EUVD-2025-37932
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.

By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.4 HIGH
ADJACENT_NETWORK
LOW
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
WSO2CNA
8.4 HIGH
ADJACENT_NETWORK
LOW
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
Affected Products (NVD)
VendorProductVersion
wso2api_control_plane
4.5.0 ≤
𝑥
< 4.5.0.29
wso2api_manager
3.1.0 ≤
𝑥
< 3.1.0.345
wso2api_manager
3.2.0 ≤
𝑥
< 3.2.0.446
wso2api_manager
3.2.1 ≤
𝑥
< 3.2.1.66
wso2api_manager
4.1.0 ≤
𝑥
< 4.1.0.228
wso2api_manager
4.2.0 ≤
𝑥
< 4.2.0.169
wso2api_manager
4.3.0 ≤
𝑥
< 4.3.0.81
wso2api_manager
4.4.0 ≤
𝑥
< 4.4.0.45
wso2api_manager
4.5.0 ≤
𝑥
< 4.5.0.28
wso2enterprise_integrator
6.6.0 ≤
𝑥
< 6.6.0.224
wso2micro_integrator
4.0.0 ≤
𝑥
< 4.0.0.145
wso2micro_integrator
4.1.0 ≤
𝑥
< 4.1.0.147
wso2micro_integrator
4.2.0 ≤
𝑥
< 4.2.0.141
wso2micro_integrator
4.3.0 ≤
𝑥
< 4.3.0.42
wso2micro_integrator
4.4.0 ≤
𝑥
< 4.4.0.27
wso2traffic_manager
4.5.0 ≤
𝑥
< 4.5.0.27
wso2universal_gateway
4.5.0 ≤
𝑥
< 4.5.0.27
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/