Overview
A critical XML External Entity (XXE) vulnerability, identified as CVE-2025-58360, has been discovered in GeoServer, an open-source server used for sharing and editing geospatial data. This vulnerability affects versions 2.26.0 to before 2.26.2 and before 2.25.6. Unsanitized XML input through the /geoserver/wms endpoint, specifically the GetMap operation, allows attackers to define external entities within XML requests. This can lead to sensitive information disclosure, denial-of-service, or potentially remote code execution in some scenarios. Upgrading to a patched version is strongly recommended.
Technical Details
The vulnerability stems from insufficient input validation of XML data submitted to the GeoServer WMS service via the GetMap operation. An attacker can craft a malicious XML payload that defines external entities, pointing to local files or external URLs. When the GeoServer server parses this XML, it attempts to resolve these external entities, potentially exposing sensitive information such as:
- Local files on the server
- Internal network resources
The following is a simplified example of a potentially malicious XML payload:
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<GetMap>
<evil>&xxe;</evil>
</GetMap>
This example attempts to read the contents of the /etc/passwd file on the server.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns the following score to CVE-2025-58360:
- CVSS Score: 8.2 (HIGH)
This high score reflects the potential impact of the vulnerability, which can lead to significant data breaches and system compromise.
Possible Impact
Successful exploitation of CVE-2025-58360 can have severe consequences:
- Sensitive Information Disclosure: Attackers can access confidential data, including system files, configuration details, and potentially database credentials.
- Denial of Service (DoS): By exploiting the XXE vulnerability, attackers might be able to exhaust server resources, leading to a denial of service.
- Potential for Remote Code Execution (RCE): While less likely depending on server configuration, under specific circumstances, XXE vulnerabilities can be chained with other vulnerabilities to achieve RCE.
Mitigation and Patch Steps
The most effective mitigation is to upgrade your GeoServer instance to a patched version:
- Upgrade to GeoServer version 2.25.6 or later.
- Upgrade to GeoServer version 2.26.3 or later.
- Upgrade to GeoServer version 2.27.0 or later.
If immediate patching is not possible, consider implementing the following temporary mitigations (though these are less effective than patching):
- Restrict Network Access: Limit access to the GeoServer instance to only trusted networks and users.
- Input Validation: Implement strict input validation for XML data submitted to the
/geoserver/wmsendpoint. This is complex and should be considered a temporary measure.
