Scan free
HIGHCVE-2025-6670CVSS 8.8

CVE-2025-6670: CSRF in WSO2 Open Banking AM

Platform

java

Component

wso2-open-banking-am

Fixed in

4.5.0.34

4.6.0.1

4.5.0.34

4.6.0.1

4.5.0.36

4.6.0.1

3.1.0.349

3.2.0.453

3.2.1.73

4.0.0.373

4.1.0.236

4.2.0.176

4.3.0.88

4.4.0.52

4.5.0.35

4.6.0.1

5.10.0.378

5.11.0.425

6.0.0.252

6.1.0.253

7.0.0.130

7.1.0.38

7.2.0.1

5.10.0.369

6.6.0.226

4.5.3.50

4.6.0.2253

4.6.1.157

4.6.2.673

4.6.3.41

4.6.4.22

4.7.1.73

4.8.1.43

4.9.0.106

4.9.26.31

4.9.27.16

4.9.28.18

4.9.33.2

4.10.9.75

4.10.42.18

4.10.101.3

AI Confidence: mediumNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-6670 describes a Cross-Site Request Forgery (CSRF) vulnerability found in WSO2 Open Banking AM. This vulnerability allows an attacker to potentially manipulate an authenticated user's session and perform unauthorized actions within the admin services. The issue stems from the use of HTTP GET requests for state-changing operations, bypassing the effectiveness of the SameSite cookie attribute. Affected versions include those prior to 7.2.0.1, and a fix is available in version 7.2.0.1.

Java / Maven

Detect this CVE in your project

Upload your pom.xml file and we'll tell you instantly if you're affected.

Upload pom.xmlSupported formats: pom.xml · build.gradle

Impact and Attack Scenarios

An attacker can exploit this CSRF vulnerability by crafting a malicious link and enticing an authenticated user to click it. Upon clicking, the user's browser will unknowingly send a request to the WSO2 Open Banking AM server, executing the attacker's intended action. This could involve modifying configurations, creating or deleting users, or performing other administrative tasks without the user's explicit consent. The potential impact is significant, as a successful exploit could lead to unauthorized access and control over the WSO2 Open Banking AM instance, potentially compromising sensitive data and disrupting services. The reliance on GET requests for state changes, despite the presence of SameSite cookies, is the root cause, making this a particularly concerning vulnerability.

Exploitation Context

CVE-2025-6670 was publicly disclosed on 2025-11-18. The vulnerability's reliance on GET requests for state changes, while employing SameSite cookies, presents a unique exploitation challenge. Currently, there are no publicly available proof-of-concept exploits, but the vulnerability's ease of exploitation makes it a potential target for opportunistic attackers. It is not currently listed on the CISA KEV catalog. The CVSS score of 8.8 (HIGH) reflects the potential for significant impact.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.04% (10% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentwso2-open-banking-am
VendorWSO2
Affected rangeFixed in
4.5.0 – 4.5.0.344.5.0.34
4.6.0 – 4.6.0.14.6.0.1
4.5.0 – 4.5.0.344.5.0.34
4.6.0 – 4.6.0.14.6.0.1
4.5.0 – 4.5.0.364.5.0.36
4.6.0 – 4.6.0.14.6.0.1
3.1.0 – 3.1.0.3493.1.0.349
3.2.0 – 3.2.0.4533.2.0.453
3.2.1 – 3.2.1.733.2.1.73
4.0.0 – 4.0.0.3734.0.0.373
4.1.0 – 4.1.0.2364.1.0.236
4.2.0 – 4.2.0.1764.2.0.176
4.3.0 – 4.3.0.884.3.0.88
4.4.0 – 4.4.0.524.4.0.52
4.5.0 – 4.5.0.354.5.0.35
4.6.0 – 4.6.0.14.6.0.1
5.10.0 – 5.10.0.3785.10.0.378
5.11.0 – 5.11.0.4255.11.0.425
6.0.0 – 6.0.0.2526.0.0.252
6.1.0 – 6.1.0.2536.1.0.253
7.0.0 – 7.0.0.1307.0.0.130
7.1.0 – 7.1.0.387.1.0.38
7.2.0 – 7.2.0.17.2.0.1
5.10.0 – 5.10.0.3695.10.0.369
6.6.0 – 6.6.0.2266.6.0.226
4.5.3 – 4.5.3.504.5.3.50
4.6.0 – 4.6.0.22534.6.0.2253
4.6.1 – 4.6.1.1574.6.1.157
4.6.2 – 4.6.2.6734.6.2.673
4.6.3 – 4.6.3.414.6.3.41
4.6.4 – 4.6.4.224.6.4.22
4.7.1 – 4.7.1.734.7.1.73
4.8.1 – 4.8.1.434.8.1.43
4.9.0 – 4.9.0.1064.9.0.106
4.9.26 – 4.9.26.314.9.26.31
4.9.27 – 4.9.27.164.9.27.16
4.9.28 – 4.9.28.184.9.28.18
4.9.33 – 4.9.33.24.9.33.2
4.10.9 – 4.10.9.754.10.9.75
4.10.42 – 4.10.42.184.10.42.18
4.10.101 – 4.10.101.34.10.101.3

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-6670 is to upgrade WSO2 Open Banking AM to version 7.2.0.1 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds to reduce the attack surface. These may include restricting access to admin services to trusted networks, implementing stricter input validation on all admin endpoints, and carefully reviewing any third-party integrations that interact with the admin console. While SameSite cookies are present, their ineffectiveness in this scenario highlights the importance of using POST requests for state-changing operations. After upgrading, confirm the fix by attempting to trigger a CSRF attack and verifying that the request is blocked or ignored.

How to fix

Update to the latest version of WSO2 Open Banking AM that contains the fix for the CSRF vulnerability. Ensure that Carbon console services are not exposed to untrusted networks, following the WSO2 Secure Production Guidelines.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-6670 — CSRF in WSO2 Open Banking AM?

CVE-2025-6670 is a Cross-Site Request Forgery (CSRF) vulnerability in WSO2 Open Banking AM versions prior to 7.2.0.1, allowing attackers to perform unauthorized actions via crafted links.

Am I affected by CVE-2025-6670 in WSO2 Open Banking AM?

Yes, if you are running WSO2 Open Banking AM versions earlier than 7.2.0.1, you are potentially affected by this CSRF vulnerability.

How do I fix CVE-2025-6670 in WSO2 Open Banking AM?

Upgrade WSO2 Open Banking AM to version 7.2.0.1 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.

Is CVE-2025-6670 being actively exploited?

While no public exploits are currently known, the vulnerability's ease of exploitation makes it a potential target for attackers.

Where can I find the official WSO2 advisory for CVE-2025-6670?

Refer to the official WSO2 security advisory for detailed information and updates regarding CVE-2025-6670: [https://wso2.com/en/security/vulnerabilities/cve-2025-6670/](https://wso2.com/en/security/vulnerabilities/cve-2025-6670/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs