Arbitrary Code Injection in org.apache.synapse:synapse-extensions | CVE-2025-11093

Q: How to fix?

Upgrade org.apache.synapse:synapse-extensions to version 4.0.0-wso2v255 or higher.

Introduced: 5 Nov 2025

NewCVE-2025-11093 (opens in a new tab) CWE-94 (opens in a new tab)

How to fix?

Upgrade org.apache.synapse:synapse-extensions to version 4.0.0-wso2v255 or higher.

Overview

org.apache.synapse:synapse-extensions is an Apache Synapse - Extensions

Affected versions of this package are vulnerable to Arbitrary Code Injection due to a lack of controls on the GraalJS and NashornJS Script Mediator engines. An attacker can execute arbitrary code with elevated privileges by submitting crafted scripts to the integration runtime environment. This is only exploitable if the attacker is an authenticated user with administrator or API creator privileges, depending on the product configuration.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Adjacent
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
High
Integrity (SI)
None
Availability (SA)
High

Arbitrary Code Injection Affecting org.apache.synapse:synapse-extensions package, versions [,4.0.0-wso2v255)

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 5 Nov 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk