Script Mediator Class Blacklist Bypass Leading to Remote Code Execution in Multiple WSO2 Products

Date: 2025-11-05

CVE ID: CVE-2025-11093

CVSS score: 9.1 * (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Product: Multiple (WSO2)

Researcher: @crnkovic

Type: RCE

CWE: CWE-94

Following WSO2-2023-2938, WSO2 introduced a blacklist of dangerous Java classes to prevent remote code execution through Script Mediator definitions. This restriction was only applied to the Rhino engine. By specifying language="nashornJs", an attacker bypasses it entirely:

<script language="nashornJs">
  var Runtime = java.lang.Runtime;
  Runtime.getRuntime().exec("id");
</script>

This is exploitable via any operation that deploys or modifies mediation sequences, including the APIGatewayAdmin SOAP service which lacks proper authorisation checks (CVE-2025-9804). When combined with authentication bypass vulnerabilities (CVE-2025-9152, CVE-2025-10611), this enables pre-auth remote code execution.

This vulnerability was responsibly disclosed and has been patched by the vendor.

Affected products

WSO2 API Control Plane 4.5.0
WSO2 API Manager 3.1.0 - 4.5.0
WSO2 Enterprise Integrator 6.6.0
WSO2 Micro Integrator 4.0.0 - 4.4.0
WSO2 Traffic Manager 4.5.0
WSO2 Open Banking IAM 2.0.0
WSO2 Open Banking AM 2.0.0
WSO2 Identity Server as Key Manager 5.10.0
WSO2 Universal Gateway 4.5.0

Script Mediator Class Blacklist Bypass Leading to Remote Code Execution in Multiple WSO2 Products

Affected products

See also