Skip to main content
CVE Vulnerability Database

CVE-2024-2374: WSO2 API Manager XXE Vulnerability

CVE-2024-2374 is an XML External Entity vulnerability in WSO2 API Manager that allows attackers to read sensitive files and access internal resources. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2024-2374 Overview

CVE-2024-2374 is an XML External Entity (XXE) vulnerability [CWE-611] affecting multiple WSO2 products. The XML parsers within the affected products accept user-supplied XML data without disabling external entity resolution. Attackers can craft malicious XML payloads that force the parser to resolve external entities, leading to disclosure of confidential files, access to internal HTTP resources, and denial of service through recursive entity expansion.

Critical Impact

Unauthenticated network attackers can read arbitrary files from the server file system, reach internal HTTP endpoints, and exhaust server resources across WSO2 API Manager, Identity Server, Identity Server as Key Manager, Open Banking AM, and Open Banking IAM deployments.

Affected Products

  • WSO2 API Manager
  • WSO2 Identity Server and Identity Server as Key Manager
  • WSO2 Open Banking AM and Open Banking IAM

Discovery Timeline

  • 2026-04-16 - CVE-2024-2374 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-2374

Vulnerability Analysis

The vulnerability resides in the XML parsing logic used across multiple WSO2 products. The parsers process user-supplied XML documents without disabling Document Type Definition (DTD) processing or external entity resolution. An attacker submits an XML document that declares an external entity referencing a local file or remote URL. When the parser resolves the entity, it returns the referenced content within the response or processes it server-side.

This class of flaw enables three primary impacts. First, attackers read confidential files such as configuration files or credential stores from the file system. Second, attackers reach internal HTTP resources that would otherwise be unreachable from the public network, enabling Server-Side Request Forgery (SSRF) style probing. Third, attackers trigger recursive entity expansion attacks (commonly called billion-laughs) or force the server to fetch large external resources, exhausting CPU and memory.

The weakness is classified under CWE-611: Improper Restriction of XML External Entity Reference. Exploitation requires no authentication and no user interaction.

Root Cause

The affected XML parsers use default configurations that permit DTD declarations and external entity expansion. Secure XML parsing requires explicitly disabling features such as external-general-entities, external-parameter-entities, and load-external-dtd. WSO2 did not apply these hardening settings consistently across the affected products.

Attack Vector

The attack is network-based and unauthenticated. An attacker sends a crafted XML payload to any endpoint that accepts XML input. A typical XXE payload defines an entity such as <!ENTITY xxe SYSTEM "file:///etc/passwd"> and references it in the document body. The parser dereferences the entity and either reflects the file contents in a response or sends it out-of-band to an attacker-controlled host. For denial of service, the attacker submits nested entity declarations that expand exponentially during parsing, consuming server resources.

Detection Methods for CVE-2024-2374

Indicators of Compromise

  • Inbound HTTP requests with XML bodies containing <!DOCTYPE declarations or <!ENTITY definitions referencing SYSTEM or PUBLIC identifiers.
  • Outbound network connections from WSO2 hosts to unexpected external IP addresses or DNS lookups for attacker-controlled domains, indicating out-of-band exfiltration.
  • WSO2 application logs showing XML parser errors referencing file URIs such as file://, jar:, or expect://.

Detection Strategies

  • Inspect HTTP request bodies destined for WSO2 endpoints for DTD or external entity declarations using a web application firewall or intrusion detection system.
  • Correlate XML processing activity in WSO2 logs with outbound connections initiated by the Java process to identify out-of-band XXE attempts.
  • Monitor for sudden spikes in CPU and memory consumption on WSO2 servers that coincide with inbound XML traffic, which may indicate entity expansion attacks.

Monitoring Recommendations

  • Forward WSO2 carbon logs and HTTP access logs to a centralized SIEM and alert on XML parser exceptions or unusual file access patterns originating from the Java runtime.
  • Baseline outbound network traffic from WSO2 servers and alert on connections to non-approved destinations.
  • Track read access to sensitive paths such as /etc/passwd, WSO2 repository/conf/ directories, and credential stores by the WSO2 process owner.

How to Mitigate CVE-2024-2374

Immediate Actions Required

  • Apply the patches and WUM updates referenced in WSO2 Security Advisory WSO2-2024-3255 for each affected product version.
  • Restrict network exposure of WSO2 management and API endpoints to trusted networks until patches are applied.
  • Review WSO2 access and outbound connection logs for evidence of prior exploitation, focusing on requests containing DTD declarations.

Patch Information

WSO2 has published fixes in WSO2 Security Advisory WSO2-2024-3255. The advisory lists the affected versions and the corresponding WSO2 Update Manager (WUM) updates required for each product, including API Manager, Identity Server, Identity Server as Key Manager, Open Banking AM, and Open Banking IAM.

Workarounds

  • Place a reverse proxy or web application firewall in front of WSO2 endpoints and block requests containing <!DOCTYPE or <!ENTITY declarations in XML payloads.
  • Apply egress filtering on WSO2 servers to prevent outbound connections to arbitrary internet destinations, limiting the impact of out-of-band XXE.
  • Restrict file system permissions for the WSO2 service account to the minimum required, reducing the scope of files readable via XXE.
bash
# Example egress restriction using iptables on a WSO2 host
iptables -A OUTPUT -m owner --uid-owner wso2 -d 10.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner wso2 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner wso2 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.