CVE-2025-2905: WSO2 API Manager XML External Entity (XXE) vulnerability

I was unable to find the exact commit that fixes the vulnerability. The vulnerability is patched in version 2.1.0. I have listed the commits between v2.1.0-rc4 and v2.1.0-rc5 (which is the same as v2.1.0). However, none of these commits seem to be related to fixing an XXE vulnerability. Since I cannot find the exact commit, I cannot provide the vulnerable functions with high confidence. Therefore, I will return an empty list of vulnerable functions. The commit history between the specified tags mostly contains version bumps and license updates, with one commit changing a hash generator for response caching and another adding a SAML feature. None of these changes appear to address an XXE vulnerability related to XML input validation in URL paths within the gateway component. Without a clear patch, it's impossible to identify the specific vulnerable functions or how they were fixed based on the provided commit information. The available information is insufficient to pinpoint the vulnerable code or the mitigation strategy with any certainty. Therefore, no functions can be confidently identified as vulnerable or patched in relation to this specific XXE issue from the given commits.