Full Report
The application defines route permissions via using path regular expressions. The permissions aren't part of the path! Immediately, the author thought there is no way this is being done correctly. The default is no authorization checks for some crazy reason. There is a set of OAuth endpoints for configuring authentication on the service. Obviously, these having bad regex's would break the security of the application. Some of the endpoint weren't included at all! Some could be bypassed by adding a trailing slash. For instance, the regex (.*)/keymanager-operations/dcr/register would NOT match to /keymanager-operations/dcr/register/. In 2022, a complete bypass for all authentication was found via finding a difference in the regex parsing and the server parsing. Adding a semicolon into a path was valid yet not counted in the regex's. For instance, /scim2/Users could be bypassed with /scim2;/Users. Apparently, semicolons are valid within the path segment as matrix parameters. So, this was a valid path but not picked up by the regex. Instead of rethinking this approach they doubled down and rewrote a lot of the regex's super crazy rules. The patch for this was to ensure that ;/ would always be rejected. To find a bypass for this, they reviewed the ordering of operations. Upon analyzing the code, they learned that the URL decoding happens after the regular expression test but before getting the URL. So, simply URL encoding parameters can also bypass the regex checks. The definition of a route contains a METHOD as well. If the method in the HTTP request doesn't have a corresponding route, then it will fail. Because a route can support multiple methods, the code uses a .contains() for the authorization checks. Sadly, this is case sensitive but it's normally to be capitialized later. So, invoking a route with a lowercased method will bypass authentication. Yikes! The service APIKeyMgtSubscriberService doesn't require any special besides valid credentials. This appears to be a legacy API for creation and management of OAuth clients. By calliing this API, you can use a low-level user to create an Admin user. Yikes! After reporting the vulnerabilities, the product team asked the author to stop testing their products. At the moment, they had dedicated a war room team to evaluate the architecture and find more issues. They ignored this and submitted more critical bugs the next day. Overall, an awesome post with great background, discovery thoughts and exploit notes.
Analysis Summary
# Vulnerability: Multiple Path & Logic-Based Authentication Bypasses in WSO2 Products
## CVE Details
- CVE ID: CVE-2025-9152, CVE-2025-10611, CVE-2025-9804
- CVSS Score: Critical (Implied, as they lead to total compromise/privilege escalation)
- CWE: CWE-185: Incorrect Regular Expression, CWE-287: Improper Authentication, CWE-264: Permissions, Privileges, and Access Controls Incorrectly Enforced
## Affected Systems
- Products: WSO2 API Manager, WSO2 Identity Server
- Versions:
- CVE-2025-9152: API Manager $\ge$ 3.2.0
- CVE-2025-9804: Versions $\le$ 3.1.0
- CVE-2025-10611: Applied to multiple logic flaws
- Configurations: Systems relying on configuration files (`identity.xml` or `deployment.toml`) for path-based access control via regular expressions.
## Vulnerability Description
This summary covers three distinct but related authentication bypasses stemming from misconfigurations or logical flaws in how path-based access control (defined via regex in XML/TOML files) is handled vs. how the underlying server parses the URL request.
1. **Regex Path Mismatch (CVE-2025-9152, path variation):** Route permissions defined by regex failed to match legitimate paths, notably due to missing endpoints or sensitivity to trailing slashes (e.g., `/path` was protected, but `/path/` was not). This primarily affected the sensitive OAuth configuration endpoints under `/keymanager-operations/`.
2. **Semicolon Path Confusion (Related to CVE-2025-10611):** The regex parsing did not correctly account for semicolons (`;`) in the URL path segments (which are technically valid as URL matrix parameters). A request path like `/scim2;/Users` bypassed the regex checking only for `/scim2/Users`.
3. **URL Decoding Timing Flaw (Related to CVE-2025-10611):** URL decoding occurred *after* the initial regular expression test but *before* the final path resolution. This allowed attackers to bypass restrictions by URL-encoding path components that the initial regex failed to capture (e.g., encoding the semicolon).
4. **Case-Sensitive Method Check (Part of CVE-2025-10611):** Route checks relied on `.contains()` for HTTP methods, which was case-sensitive. Using a lowercased HTTP method (e.g., `get` instead of `GET`) bypassed authentication checks for routes defined only with capitalized methods.
5. **Privilege Escalation via Legacy API (Not CVE-specific but related):** The `APIKeyMgtSubscriberService` allowed low-level users to create Admin users if they possessed valid credentials (implying that access controls for this specific API were insufficient or absent).
## Exploitation
- Status: PoC available for all bypass types described. Exploitation leads to total compromise (registering new OAuth clients, modifying existing ones, or granting administrative access).
- Complexity: Low to Medium (Requires knowledge of the regex parsing weaknesses).
- Attack Vector: Network
## Impact
- Confidentiality: High (Gaining access to secrets, system configuration, and potentially user data).
- Integrity: High (Ability to alter configurations, create new clients, and escalate privileges to Admin).
- Availability: High (Ability to disrupt service via configuration changes, though the primary impact is usually confidentiality/integrity).
## Remediation
### Patches
- Patches issued by WSO2 addressing the specific CVEs. The text mentions fixes applied for:
- **CVE-2025-9152:** Patch released around September 2025.
- **CVE-2025-10611/CVE-2025-9804:** Patches released/code changes made based on reports in September/October 2025.
- Specific repair mentioned for the semicolon issue: Ensuring that `;/` is always rejected in the path evaluation step.
### Workarounds
- Implement stricter, non-regex-based URL path filtering or routing configuration external to the application if possible.
- Analyze and ensure all required OAuth API paths (especially `/keymanager-operations/`) are fully covered by restrictive regexes, explicitly accounting for trailing slashes.
- Review and harden access to the legacy `APIKeyMgtSubscriberService`.
## Detection
- **Indicators of Compromise:**
- Unexpected OAuth clients registered via the `/keymanager-operations/` endpoints.
- Unauthorized modification of existing OAuth clients.
- Use of URL paths containing unencoded or encoded semicolons (`;`) in request logs where they were not previously observed.
- Log entries showing requests hitting protected endpoints using lowercased HTTP methods when only capitalized methods were defined in the authorization configuration.
- **Detection Methods and Tools:**
- Implement real-time Web Application Firewall (WAF) rules or API gateway policies to flag and block requests containing reserved path characters like `;` within expected path segments.
- Audit configuration files for missing or incomplete regex entries pertaining to sensitive paths.
## References
- Vendor Advisory (General WSO2 Security Advisories for the stated periods in 2025).
- Research Post: hxxps://crnkovic.dev/wso2-the-authentication-bypasses/
- CVE Records: CVE-2025-9152, CVE-2025-10611, CVE-2025-9804