Full Report
The author noticed a file called WSRequestXSSproxy_ajaxprocessor.jsp that hadn't changed much sense 2008. It's unused but a leftover artifact of the product. The whole purpose of this was SSRF as a service. In 2020, they noticed this internally and tried to fix it but failed. The patch just made it so that you had to be authenticated to access the endpoint. Because of some issues around Java applets, a special case was added to not have authentication on .jar files. The check did a string comparison check with endsWith on the path of the URL. By adding ;.jar to the end of the URL, it would bypass the check. This works because of matrix parameters. By adding this string to the end of the URL, you can then get the SSRF unauthenticated once again. The SSRF is heavily based around SOAP and XML. The vanilla code allows for control over the URI, username, password and payload within XML. Using a CRLF vulnerability in the SOAPACTION header, we can add arbitrary headers to the request. This gives us more freedom to exploit how we want. This is a limitation though: we can only read XML and JSON responses. What if we wanted to read something else? The Range header is used to specify which bytes to send in the response. By choosing which bytes to send in the SSRF response and combining the newline injection, we can return a byte at a time. Luckily for us, this will return an error with our character in the middle of it. This turns a mostly blind SSRF into a full-read SSRF. The newline injection can be used to exploit HTTP pipelining to get Request Smuggling. Notably, this can desync requests and responses. If you're lucky, other users will get your response or you'll get another users response. Overall, a good chain of vulnerabilities to increase the impact. I didn't know about the matrix parameters so that's a new tool to add to the bag of tricks.
Analysis Summary
# Vulnerability: Pre-Auth Full-Read SSRF and Request Smuggling Chain in WSO2
## CVE Details
- **CVE ID**: CVE-2025-5350 (SSRF), CVE-2025-5605 (Auth Bypass)
- **CVSS Score**: Not explicitly listed, but estimated **Critical** (9.8 range) based on unauthenticated remote access and full-read SSRF capabilities.
- **CWE**: CWE-918 (Server-Side Request Forgery), CWE-288 (Authentication Bypass Using an Alternate Path or Channel), CWE-444 (Inconsistent Interpretation of HTTP Requests).
## Affected Systems
- **Products**: WSO2 API Manager, WSO2 Identity Server, and other products built on the WSO2 Carbon framework.
- **Versions**: Versions utilizing Carbon Kernel prior to the September 2025 patches.
- **Configurations**: Default installations containing the legacy `WSRequestXSSproxy_ajaxprocessor.jsp` file.
## Vulnerability Description
This vulnerability stems from a chain of two distinct flaws:
1. **Authentication Bypass (CVE-2025-5605):** The WSO2 `CarbonSecuredHttpContext` contains a hardcoded whitelist intended for legacy Java applets, skipping authentication if a URI ends in `.jar` or `.class`. By utilizing **Matrix Parameters** (e.g., adding `;a=.jar` to the end of a URL), an attacker satisfies the `endsWith()` check while the servlet engine still routes the request to the intended JSP.
2. **Server-Side Request Forgery (CVE-2025-5350):** A legacy file, `WSRequestXSSproxy_ajaxprocessor.jsp` (unused since 2008 but still present), acts as a proxy for SOAP/XML requests. It allows control over the target URI, payload, and HTTP headers via an `options` parameter.
## Exploitation
- **Status**: PoC available; Vulnerability disclosed publicly; Reported as patched in late 2025.
- **Complexity**: Medium (Requires Base64 encoding parameters and specific SOAP/XML formatting).
- **Attack Vector**: Network (Remote, Unauthenticated).
### Advanced Exploitation Techniques:
- **Header Injection**: A CRLF (Line-feed) injection vulnerability exists in the `SOAPAction` header. Attackers can inject arbitrary headers (e.g., `Range`, `Cookie`).
- **Full-Read SSRF**: While the proxy normally only returns XML/JSON, by injecting a `Range: bytes=x-x` header, an attacker can force an XML parser error that leaks one byte of the response at a time (e.g., "Unexpected character 'H'"), bypassing content-type restrictions.
- **Request Smuggling**: Using newline injection, attackers can exploit HTTP pipelining to desync requests/responses, potentially intercepting other users' sessions.
## Impact
- **Confidentiality**: High (Ability to read internal metadata services, local files, and other users' responses via smuggling).
- **Integrity**: High (Ability to perform unauthorized actions on internal APIs).
- **Availability**: Medium (Potential for service disruption via request desynchronization).
## Remediation
### Patches
- WSO2 released fixes for the Carbon Kernel in September 2025.
- **Carbon Kernel PR**: [github[.]com/wso2/carbon-kernel/pull/4381](https://github.com/wso2/carbon-kernel/pull/4381)
- Users should update to the latest version of API Manager or Identity Server provided by WSO2 via their update biological or support portal.
### Workarounds
- Delete the vulnerable legacy file: `<WSO2_HOME>/repository/deployment/server/webapps/admin/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp`.
- Implement a Web Application Firewall (WAF) rule to block requests containing matrix parameters (`;`) targeting `.jsp` files.
## Detection
- **Indicators of Compromise**:
- Access logs showing requests to `WSRequestXSSproxy_ajaxprocessor.jsp`.
- Request paths containing `;a=.jar` or `;any.jar`.
- Unusual outbound traffic from the WSO2 server to internal IP addresses (e.g., 169.254.169.254) or localhost.
- **Detection Methods**: Monitor for `SOAPAction` headers in logs that contain encoded newline characters (`%0d%0a`).
## References
- Lexfo Security Write-up: [blog[.]lexfo[.]fr/wso2.html](https://blog.lexfo.fr/wso2.html)
- WSO2 Security Advisory: [security[.]docs[.]wso2[.]com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0747/](https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0747/) (Original 2020 advisory; note the 2025 bypass).
- Researcher Write-up: [crnkovic[.]dev/wso2-server-side-request-forgery/](https://crnkovic.dev/wso2-server-side-request-forgery/)