Skip to main content

WSO2 API Manager CVE-2025-8154

| EUVDEUVD-2025-209758 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-11 WSO2 GHSA-j72f-vgmh-c8hr
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
May 11, 2026 - 11:01 EUVD
Analysis Generated
May 11, 2026 - 10:31 vuln.today
CVE Published
May 11, 2026 - 09:30 nvd
MEDIUM 5.3

DescriptionCVE.org

In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses.

By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.

AnalysisAI

HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or overwrite arbitrary HTTP response headers via unsanitized user-supplied input. Successful exploitation enables cache manipulation, security header alteration, cookie injection, and potential session hijacking. CVSS 5.3 (network-accessible, low complexity, no authentication required); no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

The vulnerability exists in the Webhook API component of WSO2 API management products, where HTTP request headers from user input are reflected into HTTP responses without proper validation or sanitization. This is a classic header injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an Output Command) that occurs when user-controlled data is passed unsanitized into HTTP response construction logic. The affected products are all part of WSO2's API management and gateway suite, which process HTTP requests through gateway and management components. The root cause is insufficient input filtering before header values are written to HTTP response streams, allowing attackers to inject newline characters (CR/LF) and additional headers.

RemediationAI

Apply the vendor-released patch from WSO2 security advisory WSO2-2025-4410 (https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/) which includes input validation and sanitization fixes for Webhook API header handling. Exact patched version numbers must be obtained from the advisory; upgrade all affected products (API Manager, Universal Gateway, Traffic Manager, API Control Plane, Carbon API Gateway, and Carbon API Management Implementation) to the fixed release. If immediate patching is not possible, restrict Webhook API access to trusted internal networks and authenticated callers only via network segmentation or API gateway access controls, which will limit exposure but may impact functionality for legitimate external webhook integrations. Consider implementing a Web Application Firewall (WAF) rule to detect and block HTTP requests containing encoded newline characters (\r, \n, %0d, %0a) in headers sent to Webhook endpoints, with the trade-off that this may block legitimate requests with special characters in header values.

CVE-2026-2053 CRITICAL
10.0 Jun 26

Server-side request forgery in WSO2 API Manager lets unauthenticated remote attackers coerce the gateway into making ser

CVE-2026-4249 HIGH
8.6 Jul 06

Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffi

CVE-2024-2374 HIGH
7.5 Apr 16

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the

CVE-2025-8325 MEDIUM
6.3 May 11

Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to

CVE-2025-8591 MEDIUM
6.1 Jul 06

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP

CVE-2024-10242 MEDIUM
6.1 Apr 16

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response.

CVE-2025-6024 MEDIUM
6.1 Apr 16

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script

CVE-2024-4867 MEDIUM
5.4 Apr 16

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or p

CVE-2024-1248 MEDIUM
5.3 Jul 04

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega

CVE-2025-13475 HIGH
7.3 Jul 04

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati

CVE-2024-8010 LOW
3.5 Apr 16

The component accepts XML input through the publisher without disabling external entity resolution. Rated low severity (

Share

CVE-2025-8154 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy