CVE-2025-6670

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-6670
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6670.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-6670
Published
2025-11-18T12:15:46.420Z
Modified
2026-03-13T03:42:41.666674Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests.

A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.

References

Affected packages

Git / github.com/wso2/product-apim

Affected ranges

Type
GIT
Repo
https://github.com/wso2/product-apim
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f84a64d6683176f3ffb57fa262f3035b69781f2f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
8cc6ee54401aa3e3281cd7aeded278c9b7ed6988
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2971de274564b622974de831403e9688a4a76c14
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
e4956e9301b1c26eb06e80ec5c86628154b6ab55
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
cf00d9e6cb083f94abae11818794f62cd5c94079
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9f152cad69fafd010fae1ed02b636409f0860b91
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
572610e8e6564a647044bdb454eda658e1253352
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
6e7a9db24a575f1f4a5bc4f4cbb41687c308c466
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c97258caec907ea69c289c80ff708a214c3372dc
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f84a64d6683176f3ffb57fa262f3035b69781f2f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
8cc6ee54401aa3e3281cd7aeded278c9b7ed6988
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2d31e24faeeb97e70d7f19033ccff2f843f8c892
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2d31e24faeeb97e70d7f19033ccff2f843f8c892
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f84a64d6683176f3ffb57fa262f3035b69781f2f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
8cc6ee54401aa3e3281cd7aeded278c9b7ed6988
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f84a64d6683176f3ffb57fa262f3035b69781f2f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
8cc6ee54401aa3e3281cd7aeded278c9b7ed6988
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.5.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.6.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.1.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.2.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.1.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.3.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.4.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.5.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.6.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.5.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.6.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.5.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.6.0"
        }
    ]
}

Affected versions

4.*
4.0.0-beta
test-tag-1.*
test-tag-1.9.0-Alpha
v1.*
v1.10.0
v1.10.0-Alpha
v1.10.0-Beta
v1.10.0-rc3
v1.10.0-rc4
v1.9.0
v1.9.0-Alpha
v1.9.0-Beta
v1.9.0-Beta-2
v1.9.0-Beta-3
v1.9.0-M2
v2.*
v2.0.0
v2.0.0-ALPHA
v2.0.0-BETA
v2.0.0-M1
v2.0.0-M2
v2.0.0-M3
v2.0.0-M4
v2.0.0-M5
v2.0.0-beta2
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.0.0-rc5
v2.1.0-alpha
v2.1.0-update1
v2.1.0-update10
v2.1.0-update11
v2.1.0-update12
v2.1.0-update13
v2.1.0-update14
v2.1.0-update2
v2.1.0-update3
v2.1.0-update4
v2.1.0-update5
v2.1.0-update6
v2.1.0-update7
v2.1.0-update8
v2.1.0-update9
v2.2.0
v2.2.0-update1
v2.2.0-update2
v2.2.0-update3
v2.2.0-update4
v2.2.0-update5
v2.2.0-update6
v2.2.0-update7
v2.5.0
v2.5.0-Alpha
v2.5.0-Beta
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.6.0
v2.6.0-alpha
v2.6.0-alpha2
v2.6.0-beta
v2.6.0-beta2
v2.6.0-m1
v2.6.0-m2
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v3.*
v3.0.0
v3.0.0-alpha
v3.0.0-alpha2
v3.0.0-beta
v3.0.0-m32
v3.0.0-m33
v3.0.0-m34
v3.0.0-m35
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.1.0
v3.1.0-alpha
v3.1.0-beta
v3.1.0-m1
v3.1.0-m2
v3.1.0-m3
v3.1.0-m4
v3.1.0-m5
v3.1.0-rc1
v3.1.0-rc2
v3.1.0-rc3
v3.2.0
v3.2.0-alpha
v3.2.0-beta
v3.2.0-m1
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.2.0-rc5
v3.2.0-rc6
v4.*
v4.0.0
v4.0.0-alpha
v4.0.0-beta
v4.0.0-m1
v4.0.0-m2
v4.0.0-m3
v4.0.0-m4
v4.0.0-m5
v4.0.0-m6
v4.0.0-m7
v4.0.0-m8
v4.0.0-rc
v4.1.0
v4.1.0-alpha
v4.1.0-beta
v4.1.0-m1
v4.1.0-m2
v4.1.0-m3
v4.1.0-m4
v4.1.0-rc
v4.1.0-rc2
v4.1.0-rc3
v4.2.0
v4.2.0-alpha
v4.2.0-beta
v4.2.0-m1
v4.2.0-rc
v4.2.0-rc2
v4.3.0
v4.3.0-alpha
v4.3.0-alpha2
v4.3.0-beta
v4.3.0-m1
v4.3.0-m2
v4.3.0-rc
v4.3.0-rc2
v4.4.0
v4.4.0-alpha
v4.4.0-beta
v4.4.0-m1
v4.4.0-m2
v4.4.0-rc
v4.4.0-rc2
v4.5.0-acp
v4.5.0-acp-alpha
v4.5.0-acp-beta
v4.5.0-acp-m1
v4.5.0-acp-rc
v4.5.0-acp-rc2
v4.5.0-alpha
v4.5.0-beta
v4.5.0-gw-alpha
v4.5.0-gw-beta
v4.5.0-gw-m1
v4.5.0-gw-rc
v4.5.0-m1
v4.5.0-m2
v4.5.0-rc
v4.5.0-tm
v4.5.0-tm-alpha
v4.5.0-tm-beta
v4.5.0-tm-m1
v4.5.0-tm-rc
v4.5.0-tm-rc2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6670.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.2.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "6.6.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.10.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.11.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "6.0.0-NA"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "6.1.0-NA"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.0.0-NA"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.1.0-NA"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.2.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.10.0"
            }
        ]
    }
]