Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

INFO

Published Date :

2025-11-05T14:49:44.597Z

Last Modified :

2026-01-20T04:14:55.775Z

Source :

WSO2
AFFECTED PRODUCTS

The following products are affected by CVE-2025-3125 vulnerability.

Vendors Products
Wso2
  • Api Control Plane
  • Api Manager
  • Carbon
  • Enterprise Integrator
  • Identity Server
  • Identity Server As Key Manager
  • Open Banking Iam
  • Org.wso2.carbon.commons Org.wso2.carbon.application.upload
  • Traffic Manager
  • Universal Gateway
  • Wso2 Api Control Plane
  • Wso2 Api Manager
  • Wso2 Enterprise Integrator
  • Wso2 Identity Server
  • Wso2 Identity Server As Key Manager
  • Wso2 Open Banking Iam
  • Wso2 Traffic Manager
  • Wso2 Universal Gateway
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-3125.

URL Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3961/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact