CVE-2025-10611

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-10611

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-10611.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-10611

Published

2025-10-16T13:15:40.640Z

Modified

2025-11-23T04:17:58.350022Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.

Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/

Affected packages

Git / github.com/wso2/product-apim

Affected ranges

Type: GIT
Repo: https://github.com/wso2/product-apim
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

2971de274564b622974de831403e9688a4a76c14

Last affected

2d31e24faeeb97e70d7f19033ccff2f843f8c892

Last affected

572610e8e6564a647044bdb454eda658e1253352

Last affected

5cdc3f8a5ea212c3bf231cb710ea3436e9aad1d7

Last affected

6307349bd09fd6fdf9cfe15e170584403fa7e6be

Last affected

6e7a9db24a575f1f4a5bc4f4cbb41687c308c466

Last affected

727d091683c8199c37f2d19ab3198abee6553904

Last affected

828807c24e02a88a91a70e6f9dbc6eeb58be3eaf

Last affected

9f152cad69fafd010fae1ed02b636409f0860b91

Last affected

a87463944acbc28f14c0af2a32dc30310147a0be

Last affected

c97258caec907ea69c289c80ff708a214c3372dc

Last affected

cf00d9e6cb083f94abae11818794f62cd5c94079

Last affected

e4956e9301b1c26eb06e80ec5c86628154b6ab55

Last affected

f84a64d6683176f3ffb57fa262f3035b69781f2f

Affected versions

test-tag-1.*

test-tag-1.9.0-Alpha

v1.*

v1.10.0

v1.10.0-Alpha

v1.10.0-Beta

v1.10.0-rc3

v1.10.0-rc4

v1.9.0

v1.9.0-Alpha

v1.9.0-Beta

v1.9.0-Beta-2

v1.9.0-Beta-3

v1.9.0-M2

v2.*

v2.0.0

v2.0.0-ALPHA

v2.0.0-BETA

v2.0.0-M1

v2.0.0-M2

v2.0.0-M3

v2.0.0-M4

v2.0.0-M5

v2.0.0-beta2

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0-rc4

v2.0.0-rc5

v2.1.0-alpha

v2.1.0-update1

v2.1.0-update10

v2.1.0-update11

v2.1.0-update12

v2.1.0-update13

v2.1.0-update14

v2.1.0-update2

v2.1.0-update3

v2.1.0-update4

v2.1.0-update5

v2.1.0-update6

v2.1.0-update7

v2.1.0-update8

v2.1.0-update9

v2.2.0

v2.2.0-update1

v2.2.0-update2

v2.2.0-update3

v2.2.0-update4

v2.2.0-update5

v2.2.0-update6

v2.2.0-update7

v2.5.0

v2.5.0-Alpha

v2.5.0-Beta

v2.5.0-rc1

v2.5.0-rc2

v2.5.0-rc3

v2.5.0-rc4

v2.6.0

v2.6.0-alpha

v2.6.0-alpha2

v2.6.0-beta

v2.6.0-beta2

v2.6.0-m1

v2.6.0-m2

v2.6.0-rc1

v2.6.0-rc2

v2.6.0-rc3

v3.*

v3.0.0

v3.0.0-alpha

v3.0.0-alpha2

v3.0.0-beta

v3.0.0-m32

v3.0.0-m33

v3.0.0-m34

v3.0.0-m35

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.1.0

v3.1.0-alpha

v3.1.0-beta

v3.1.0-m1

v3.1.0-m2

v3.1.0-m3

v3.1.0-m4

v3.1.0-m5

v3.1.0-rc1

v3.1.0-rc2

v3.1.0-rc3