CVE-2025-10713 — WSO2 Carbon Mediation vulnerable to XML External Entity (XXE) attacks

Description

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.

How to fix CVE-2025-10713

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-10713 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-10713
PATCHgithub.com/wso2/carbon-mediation
WEBgithub.com/wso2/carbon-mediation/commit/b995b2f1db96a4697791f0202cc8713f15640fd5
WEBgithub.com/wso2/carbon-mediation/pull/1784