CVE-2025-13590: carbon-apimgt does not properly restrict uploaded files
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
References
- github.com/advisories/GHSA-p6jf-79j3-33f3
- github.com/wso2/carbon-apimgt
- github.com/wso2/carbon-apimgt/commit/49a6427b39a5d9552ce97430858bb4b1912a3044
- github.com/wso2/carbon-apimgt/pull/13560
- github.com/wso2/carbon-apimgt/releases/tag/v9.32.167
- nvd.nist.gov/vuln/detail/CVE-2025-13590
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849
Code Behaviors & Features
Detect and mitigate CVE-2025-13590 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →