CVE-2025-6670
Dec. 8, 2025, 2 p.m.
8.8
High
Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests.
A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Wso2 |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | wso2 | api_control_plane | 4.5.0 | - | / | / | / | / | / | / |
| a | wso2 | api_control_plane | 4.6.0 | - | / | / | / | / | / | / |
| a | wso2 | api_manager | 3.1.0 | / | / | / | / | / | / | / |
| a | wso2 | api_manager | 3.2.0 | / | / | / | / | / | / | / |
| a | wso2 | api_manager | 3.2.1 | / | / | / | / | / | / | / |
| a | wso2 | api_manager | 4.0.0 | / | / | / | / | / | / | / |
| a | wso2 | api_manager | 4.1.0 | - | / | / | / | / | / | / |
| a | wso2 | api_manager | 4.2.0 | - | / | / | / | / | / | / |
| a | wso2 | api_manager | 4.3.0 | - | / | / | / | / | / | / |
| a | wso2 | api_manager | 4.4.0 | - | / | / | / | / | / | / |
| a | wso2 | api_manager | 4.5.0 | - | / | / | / | / | / | / |
| a | wso2 | api_manager | 4.6.0 | - | / | / | / | / | / | / |
| a | wso2 | enterprise_integrator | 6.6.0 | / | / | / | / | / | / | / |
| a | wso2 | identity_server | 5.10.0 | / | / | / | / | / | / | / |
| a | wso2 | identity_server | 5.11.0 | / | / | / | / | / | / | / |
| a | wso2 | identity_server | 6.0.0 | - | / | / | / | / | / | / |
| a | wso2 | identity_server | 6.1.0 | - | / | / | / | / | / | / |
| a | wso2 | identity_server | 7.0.0 | - | / | / | / | / | / | / |
| a | wso2 | identity_server | 7.1.0 | - | / | / | / | / | / | / |
| a | wso2 | identity_server | 7.2.0 | / | / | / | / | / | / | / |
| a | wso2 | identity_server_as_key_manager | 5.10.0 | / | / | / | / | / | / | / |
| a | wso2 | open_banking_am | 2.0.0 | / | / | / | / | / | / | / |
| a | wso2 | open_banking_iam | 2.0.0 | / | / | / | / | / | / | / |
| a | wso2 | traffic_manager | 4.5.0 | / | / | / | / | / | / | / |
| a | wso2 | traffic_manager | 4.6.0 | / | / | / | / | / | / | / |
| a | wso2 | universal_gateway | 4.5.0 | / | / | / | / | / | / | / |
| a | wso2 | universal_gateway | 4.6.0 | / | / | / | / | / | / | / |
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- Scope: UNCHANGED
- Confidentiality Impact: HIGH
- Integrity Impact: HIGH
- Availability Impact: HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Timeline
Published: Nov. 18, 2025, 12:15 p.m.
Last Modified: Dec. 8, 2025, 2 p.m.
Last Modified: Dec. 8, 2025, 2 p.m.
Status : Analyzed
CVE has had analysis completed and all data associations made.
More infoSource
ed10eef1-636d-4fbe-9993-6890dfa878f8
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.