CVE-2025-6670: WSO2 API Control Plane CSRF Vulnerability

CVE-2025-6670 Overview

CVE-2025-6670 is a Cross-Site Request Forgery (CSRF) vulnerability affecting multiple WSO2 products. The flaw resides in the event processor of the Carbon console, where admin services accept HTTP GET requests for state-changing operations. The SameSite=Lax cookie attribute fails to mitigate the issue because it permits cookies on cross-origin top-level GET navigations.

An attacker who tricks an authenticated administrator into visiting a crafted link can cause the browser to issue unintended administrative requests. Successful exploitation enables unauthorized data modification, account changes, and other administrative actions. The vulnerability is tracked under CWE-352.

Critical Impact

A single click by an authenticated WSO2 administrator on an attacker-controlled link can trigger unauthorized state-changing operations within the Carbon console event processor.

Affected Products

• WSO2 API Manager versions 3.1.0 through 4.6.0
• WSO2 Identity Server versions 5.10.0 through 7.2.0 and Identity Server as Key Manager 5.10.0
• WSO2 API Control Plane 4.5.0–4.6.0, Enterprise Integrator 6.6.0, Open Banking AM/IAM 2.0.0, Traffic Manager 4.5.0–4.6.0, and Universal Gateway 4.5.0–4.6.0

Discovery Timeline

• 2025-11-18 - CVE-2025-6670 published to NVD
• 2025-12-08 - Last updated in NVD database

Technical Details for CVE-2025-6670

Vulnerability Analysis

The vulnerability stems from the Carbon console event processor accepting HTTP GET requests to perform state-changing operations within admin services. CSRF protections rely on the assumption that state-changing actions use unsafe methods such as POST, PUT, or DELETE paired with anti-CSRF tokens. By exposing administrative actions over GET, WSO2 enables any cross-origin page to trigger those actions through standard browser navigation primitives like image tags, links, or window.location assignments.

WSO2 attempted to mitigate session-riding attacks using the SameSite=Lax cookie attribute. However, Lax explicitly permits cookies to accompany top-level navigations performed with safe methods, including GET. As a result, a crafted link delivered through phishing, a forum post, or a malicious advertisement causes the victim's browser to send authenticated requests to the targeted WSO2 instance.

Root Cause

The root cause is a violation of HTTP method semantics combined with reliance on an insufficient cookie-based defense. The event processor admin services route state-changing logic through GET handlers and do not validate an anti-CSRF token or Origin/Referer header. SameSite=Lax does not block cross-site top-level GET navigations, leaving the application without an effective layer of CSRF protection.

Attack Vector

Exploitation requires an authenticated WSO2 administrator with an active Carbon console session. The attacker hosts or distributes a URL pointing to the vulnerable event processor endpoint with parameters that perform an administrative action. When the victim opens the link, the browser appends the session cookie and issues the request, which the server executes under the victim's privileges. No credentials or direct access to the WSO2 instance are required by the attacker, though network reachability to the targeted Carbon console is required from the victim's browser.

No public proof-of-concept code is currently available for this vulnerability. Refer to the WSO2 Security Advisory WSO2-2025-4117 for technical details.

Detection Methods for CVE-2025-6670

Indicators of Compromise

• HTTP GET requests to Carbon console event processor admin endpoints originating from external Referer headers or unusual user agents
• Administrative configuration changes correlated in time with browser-initiated navigations rather than direct admin console workflows
• Authenticated session activity from administrator accounts originating from unexpected source pages or third-party domains

Detection Strategies

• Inspect web server and reverse proxy access logs for GET requests to /carbon/eventprocessor/ and related admin service paths that include state-changing query parameters
• Alert on Carbon console admin requests where the Referer header points to an external domain or is missing entirely
• Correlate event processor configuration changes in WSO2 audit logs with browser session metadata to identify activity not initiated through legitimate admin workflows

Monitoring Recommendations

• Forward WSO2 Carbon audit logs and web access logs to a centralized SIEM for cross-correlation with identity and proxy telemetry
• Track anomalous spikes in administrative action volume per session, particularly on event processor endpoints
• Monitor administrator browsing telemetry for navigations to untrusted external URLs immediately preceding admin actions

How to Mitigate CVE-2025-6670

Immediate Actions Required

• Apply WUM updates or version upgrades published by WSO2 for each affected product as listed in advisory WSO2-2025-4117
• Restrict network access to the Carbon console so that it is not reachable from untrusted networks, in line with WSO2 Secure Production Guidelines
• Require administrators to log out of the Carbon console when not actively performing administrative tasks to shrink the CSRF attack window

Patch Information

WSO2 has published remediation guidance and product-specific update paths in WSO2 Security Advisory WSO2-2025-4117. Customers should consult the advisory to identify the appropriate WUM update level or upgrade target for their deployed product version. Apply updates in a staging environment before promoting to production.

Workarounds

• Place the Carbon console behind a VPN or IP allowlist so that only trusted administrative networks can reach the management interface
• Deploy a reverse proxy or web application firewall rule that blocks GET requests carrying state-changing parameters to event processor admin paths
• Enforce browser isolation or dedicated administrative browsers for WSO2 administrators to prevent cross-site navigations from general browsing sessions