CVE-2025-8154— HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation
Affected Version Matrix 21
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WSO2 | WSO2 API Control Plane | 4.5.0< 4.5.0.21 | affected |
| WSO2 | WSO2 API Manager | < 4.1.0 | unknown |
4.1.0< 4.1.0.218 | affected | ||
4.2.0< 4.2.0.164 | affected | ||
4.3.0< 4.3.0.74 | affected | ||
4.4.0< 4.4.0.38 | affected | ||
4.5.0< 4.5.0.20 | affected | ||
| WSO2 | WSO2 Carbon API Gateway | 9.20.74< 9.20.74.374 | affected |
9.28.116< 9.28.116.363 | affected | ||
9.29.120< 9.29.120.181 | affected | ||
9.30.67< 9.30.67.104 | affected | ||
9.31.86< 9.31.86.64 | affected | ||
9.32.2≤ * | unaffected | ||
| WSO2 | WSO2 Carbon API Management Implementation | 9.20.74< 9.20.74.374 | affected |
9.28.116< 9.28.116.363 | affected | ||
9.29.120< 9.29.120.181 | affected | ||
9.30.67< 9.30.67.104 | affected | ||
9.31.86< 9.31.86.64 | affected | ||
9.32.2≤ * | unaffected | ||
| WSO2 | WSO2 Traffic Manager | 4.5.0< 4.5.0.19 | affected |
| WSO2 | WSO2 Universal Gateway | 4.5.0< 4.5.0.19 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-8154
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WSO2多款产品 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WSO2 API Manager等都是美国WSO2公司的产品。WSO2 API Manager是一套API生命周期管理解决方案。WSO2 API Control Plane是一个控制面板。WSO2 Traffic Manager是一个调节和管理API流量的组件。 WSO2多款产品存在注入漏洞,该漏洞源于接受用户提供的HTTP请求标头输入但未充分验证或清理,可能导致攻击者注入或覆盖任意HTTP响应标头,引发浏览器缓存操作、安全相关标头更改及敏感信息注入等影响。以下产品受到影响:WSO2 API Manage
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| WSO2 | WSO2 API Manager | 4.1.0 ~ 4.1.0.218 | - | |
| WSO2 | WSO2 Universal Gateway | 4.5.0 ~ 4.5.0.19 | - | |
| WSO2 | WSO2 Traffic Manager | 4.5.0 ~ 4.5.0.19 | - | |
| WSO2 | WSO2 API Control Plane | 4.5.0 ~ 4.5.0.21 | - | |
| WSO2 | WSO2 Carbon API Gateway | 9.20.74 ~ 9.20.74.374 | - | |
| WSO2 | WSO2 Carbon API Management Implementation | 9.20.74 ~ 9.20.74.374 | - |
II. Public POCs for CVE-2025-8154
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-8154
请登录查看更多情报信息。
Same Patch Batch · WSO2 · 2026-05-11 · 6 CVEs total
| CVE-2025-10470 | 8.6 HIGH | Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Una |
| CVE-2025-9973 | 6.4 MEDIUM | Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Orga |
| CVE-2025-8325 | 6.3 MEDIUM | Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Oper |
| CVE-2024-0391 | 5.3 MEDIUM | Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Disc |
| CVE-2025-10908 | Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allo |
IV. Related Vulnerabilities
Same product: WSO2 API Manager
- CVE-2025-6024
Cross-Site Scripting via Authentication Endpoint in Multiple - CVE-2024-10242
Reflected Cross-Site Scripting via Authentication Endpoint i - CVE-2024-8010
XML External Entity Injection via Publisher in WSO2 API Mana - CVE-2024-4867
Cross-Site Scripting via Developer Portal in WSO2 API Manage - CVE-2024-2374
XML External Entity Injection in Multiple WSO2 Products Allo
Same vendor: WSO2
- CVE-2025-10470
Denial-of-Service via Magic Link Authentication in WSO2 Iden - CVE-2025-9973
Authorization Bypass via Adaptive Authentication in WSO2 Ide - CVE-2025-8325
Improper Access Control via Gateway API in Multiple WSO2 Pro - CVE-2025-10908
Account Lock Bypass via Magic Link or Pass Key Authenticatio - CVE-2024-0391
Username Enumeration via Email OTP Flow in Multiple WSO2 Pro
Same weakness: CWE-74
- CVE-2026-42334
Mongoose: Improper Sanitization of $nor in sanitizeFilter Ma - CVE-2026-44458
Hono: CSS Declaration Injection via Style Object Values in J - CVE-2026-44455
Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML I - CVE-2026-42838
Microsoft Edge (Chromium-based) Elevation of Privilege Vulne - CVE-2026-33833
Azure Machine Learning Notebook Spoofing Vulnerability
V. Comments for CVE-2025-8154
No comments yet