External risk intelligence

GeoServer XXE Vulnerability in WMS GetMap Operation

CVE advisoryKnown Exploit

CVE-2025-58360

A vulnerability in GeoServer allows attackers to insert external entities into XML requests, potentially leading to unauthorized data access or service disruption. Organizations using affected versions face business risk from this exploit.

4Halo Surface Signal

XML External Entity Injection

Geoserver

before 2.25.62.26.0 to before 2.26.2

External exposure likelihood

Halo Surface Signal score for CVE-2025-58360

GeoServer is commonly deployed as a web-based service for geospatial data management. The vulnerability exists within the WMS (Web Map Service) GetMap endpoint, which is a core, standard interface designed to be accessed over the network. Given its role as a server providing public-facing mapping and data services, this endpoint is frequently exposed to internet traffic in typical deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in GeoServer, an open-source server for sharing and editing geospatial data. The flaw allows external entities to be defined within XML requests sent to a specific operational endpoint. This could permit unauthorized access to sensitive information or disruption of services.

  • Vulnerable GeoServer component
  • Unsanitized XML input
  • Data exposure and service disruption

Attack Path

How an attacker could exploit the issue

An XML External Entity (XXE) vulnerability exists in GeoServer, an open-source geospatial data server. Attackers can exploit this by sending specially crafted XML input to the `/geoserver/wms` operation, bypassing intended security measures. This could allow unauthorized access to sensitive information or disruption of services.

  • Exposed network endpoint.
  • Attacker sends malicious XML.
  • Control or impact results.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability in GeoServer could allow attackers to exploit un-sanitized XML input. This could lead to unauthorized access to sensitive data, disruption of services, and significant business risk. Organizations using affected versions of GeoServer should consider this a high-priority issue.

  • Attackers with no special skill needed.
  • Network access to the application.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An XML External Entity (XXE) vulnerability in GeoServer could allow an attacker to define external entities within an XML request. This could lead to unauthorized access or manipulation of data. The vendor has released patches to address this issue.

  • Identify GeoServer instances processing XML input.
  • Isolate affected systems or reduce access.
  • Apply vendor fixes and verify.
  • Monitor for related activity.

Frequently asked questions

What is the nature of the vulnerability in GeoServer affecting the WMS GetMap operation?

GeoServer versions 2.26.0 through 2.26.2 and prior to 2.25.6 contain an XML External Entity (XXE) vulnerability. This occurs because the application accepts XML input through the /geoserver/wms GetMap operation without sufficient sanitization, allowing attackers to define external entities within XML requests.

How does the XXE vulnerability in GeoServer work?

The vulnerability is a CWE-611 weakness, an improper restriction of XML external entity reference. Attackers can send malicious XML input to the GeoServer WMS GetMap endpoint. This input is not properly validated, enabling the attacker to define external entities within the XML, potentially leading to unauthorized data access or system disruption.

What is the attack vector for the GeoServer XXE vulnerability?

The vulnerability can be exploited by an attacker over the network (AV:N) with low complexity (AC:L) and no privileges required (PR:N). The attacker sends a crafted XML request to the exposed /geoserver/wms GetMap operation. The impact is on the system components (S:U), with high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).

What is the relevance of the GeoServer XXE vulnerability and how is it signaled?

GeoServer is a widely used open-source server for geospatial data, often exposed via network endpoints like the WMS GetMap operation. The vulnerability, CVE-2025-58360, has a high CVSSv3.1 score of 9.8 (CRITICAL) and is listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. Halo's analysis indicates a 'Likely' exposure score due to the common deployment of GeoServer as a public-facing web service.

What practical steps should be taken to address the GeoServer XXE vulnerability?

To address this vulnerability, organizations should identify all GeoServer instances that process XML input. It is recommended to isolate affected systems or restrict access to them if possible. The most crucial step is to apply the vendor-released patches, which are available in GeoServer 2.25.6, 2.26.3, and 2.27.0, and subsequently verify that the patches have been successfully applied.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified