High-severity XXE disclosed across multiple WSO2 products
TL;DR — An XXE flaw in WSO2 XML parsing can let remote attackers read server files, perform limited outbound HTTP fetches, and trigger XML-bomb DoS in exposed API/IAM deployments.
What happened
WSO2 API Manager and WSO2 Identity Server are widely deployed Java-based platforms for API gateway/publishing and identity/access management (IAM) in enterprise environments.
CVE-2024-2374 describes an XML External Entity (XXE) issue where XML parsers in multiple WSO2 products accept user-supplied XML without being configured to prevent external entity resolution. The CVE record states this can allow an attacker to read confidential files from the file system, access limited HTTP resources reachable by the product, and cause denial of service via entity expansion or fetching large external resources.
Severity is CVSS v3.1 7.5 (High) with a network attack vector and no privileges required. XXE remains a recurring “plumbing layer” failure mode in API gateways and identity stacks, where a single parser misconfiguration can expose high-value configuration and trust-boundary secrets.
Who is impacted
- Deployments running the affected WSO2 product lines and versions as enumerated in the CVE record.
- The CVE record lists some earlier version ranges as "unknown" (i.e., not explicitly confirmed affected/unaffected).
| Product | Affected versions (per CVE record) | Fixed in (per CVE record thresholds) |
|---|---|---|
WSO2 API Manager | >= 3.1.0, < 3.1.0.278 | 3.1.0.278 |
WSO2 API Manager | >= 3.2.0, < 3.2.0.368 | 3.2.0.368 |
WSO2 API Manager | >= 4.0.0, < 4.0.0.280 | 4.0.0.280 |
WSO2 API Manager | >= 4.1.0, < 4.1.0.206 | 4.1.0.206 |
WSO2 API Manager | >= 4.2.0, < 4.2.0.144 | 4.2.0.144 |
WSO2 API Manager | >= 4.3.0, < 4.3.0.57 | 4.3.0.57 |
WSO2 Identity Server | >= 5.10.0, < 5.10.0.300 | 5.10.0.300 |
WSO2 Identity Server | >= 5.11.0, < 5.11.0.329 | 5.11.0.329 |
WSO2 Identity Server | >= 6.0.0, < 6.0.0.179 | 6.0.0.179 |
WSO2 Identity Server | >= 6.1.0, < 6.1.0.136 | 6.1.0.136 |
WSO2 Identity Server as Key Manager | >= 5.10.0, < 5.10.0.296 | 5.10.0.296 |
WSO2 Open Banking AM | >= 2.0.0, < 2.0.0.328 | 2.0.0.328 |
WSO2 Open Banking IAM | >= 2.0.0, < 2.0.0.348 | 2.0.0.348 |
Notes:
- For some products, the CVE record also includes a pre-range marked
status: unknown(e.g., "less than 3.1.0" for API Manager, "less than 5.10.0" for Identity Server), which should be treated as not conclusively characterized based on the CVE record alone.
What to do now
- Follow vendor remediation guidance referenced by the CVE record (the CVE’s solution field points to the vendor advisory):
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/#solution. - Inventory all WSO2 API gateway / IAM deployments and map them to the affected version ranges in the CVE record (including container images and any “baked” AM/IS artifacts in CI/CD pipelines).
- Treat this as a potential sensitive file disclosure / trusted-service SSRF-like egress risk: prioritize patching any internet- or partner-exposed XML ingestion surfaces first.
- If compromise is suspected, review logs for unexpected XML payload patterns (e.g., external entity usage / large expansions) and rotate credentials reachable by the WSO2 process (service accounts, database creds, signing keys) according to your incident response playbooks.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.