CVE-2025-5350 is a vulnerability in the deprecated Try-It feature of WSO2 Identity Server versions 5.10.0 through 7.1.0. This feature, accessible only to administrative users, improperly validates user-supplied URLs, leading to Server-Side Request Forgery (SSRF). SSRF allows an attacker to force the server to make arbitrary HTTP requests, potentially accessing internal services that are otherwise inaccessible externally. Additionally, the content retrieved by the server is reflected directly in the HTTP response without sanitization, resulting in a reflected Cross-Site Scripting (XSS) vulnerability in the administrator's browser context. This XSS can be exploited by tricking an administrator into clicking a crafted link, enabling arbitrary JavaScript execution. Although session cookies are protected with the HttpOnly flag, the XSS can still be leveraged for UI manipulation or data exfiltration. The SSRF component can be used by a privileged attacker to enumerate internal network services, increasing the attack surface. The vulnerability requires high privileges (administrative access) but no further user interaction beyond clicking the malicious link. The CVSS 3.1 score of 5.9 reflects a medium severity due to the combination of privilege requirements and potential impact on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the vulnerability poses a risk to organizations relying on affected WSO2 Identity Server versions.

For European organizations, this vulnerability presents a significant risk primarily to administrative users of WSO2 Identity Server. Exploitation could lead to unauthorized internal network reconnaissance via SSRF, potentially exposing sensitive internal services and data. The reflected XSS could allow attackers to manipulate the administrative UI or exfiltrate sensitive information from the admin's browser context, potentially compromising administrative control. Given that WSO2 Identity Server is widely used in identity and access management across various sectors, including government, finance, and healthcare, the impact could extend to critical infrastructure and sensitive personal data protected under GDPR. The SSRF could facilitate lateral movement inside corporate networks, increasing the risk of broader compromise. The requirement for administrative privileges limits the attack vector but does not eliminate risk, especially in environments where phishing or social engineering could trick administrators. The lack of known exploits in the wild suggests a window for proactive mitigation, but the medium severity and potential for internal network exposure warrant urgent attention.

Organizations should immediately disable the deprecated Try-It feature if it remains enabled, as it is the root cause of the vulnerability. If disabling is not feasible, restrict administrative access to the WSO2 Identity Server management console to trusted networks and enforce strong multi-factor authentication to reduce the risk of credential compromise. Implement strict URL validation and filtering at the application or web server level to prevent SSRF attempts. Monitor administrative user activity for unusual access patterns or suspicious requests. Regularly update WSO2 Identity Server to the latest versions once patches addressing this vulnerability are released. Employ web application firewalls (WAFs) with rules designed to detect and block SSRF and reflected XSS attack patterns. Conduct security awareness training for administrators to recognize phishing attempts that could lead to clicking malicious links. Finally, perform internal network segmentation to limit the impact of SSRF-based internal reconnaissance.