Overview
CVE-2025-21621 is a reflected cross-site scripting (XSS) vulnerability affecting GeoServer, an open-source server used for sharing and editing geospatial data. This vulnerability exists in versions prior to 2.25.0 and stems from insufficient sanitization of user-supplied input in the WMS GetFeatureInfo HTML output format. Specifically, a malicious actor can inject arbitrary JavaScript code through specially crafted SLD_BODY parameters.
Technical Details
The vulnerability lies in how GeoServer handles user-provided SLD_BODY parameters within WMS GetFeatureInfo requests. By injecting malicious JavaScript code into this parameter, an attacker can exploit the lack of proper output encoding. When a victim clicks a crafted link or visits a compromised page containing the malicious request, the injected JavaScript code executes in their browser, under the context of the GeoServer domain. This can lead to account compromise, data theft, or other malicious activities.
Example of a potentially malicious request:
GET /geoserver/wms?service=WMS&version=1.1.0&request=GetFeatureInfo&layers=topp:states&query_layers=topp:states&info_format=text/html&SLD_BODY=<StyledLayerDescriptor><UserStyle><FeatureTypeStyle><Rule><Name>Test</Name><PointSymbolizer><Graphic><Mark><WellKnownName>circle</WellKnownName><Fill><CssParameter name="fill">#FF0000</CssParameter></Fill></Mark></Graphic></PointSymbolizer></Rule></FeatureTypeStyle></UserStyle></StyledLayerDescriptor><script>alert("XSS Vulnerability!")</script>
CVSS Analysis
- CVSS Score: 6.1 (Medium)
- This score indicates a moderate level of risk. While not critical, the vulnerability is easily exploitable and can have significant consequences.
Possible Impact
Successful exploitation of CVE-2025-21621 can lead to various negative outcomes:
- Account Compromise: Attackers can steal user credentials or session cookies.
- Data Theft: Sensitive geospatial data could be accessed and exfiltrated.
- Website Defacement: The GeoServer instance could be defaced, impacting its availability and credibility.
- Malware Distribution: The vulnerable GeoServer instance could be used to spread malware to visitors.
Mitigation and Patch Steps
The recommended solution is to upgrade to GeoServer version 2.25.0 or later. This version includes a patch that addresses the XSS vulnerability by properly sanitizing and encoding the SLD_BODY parameter.
- Upgrade GeoServer: Download and install GeoServer version 2.25.0 or a later release from the official GeoServer website.
- Verify Installation: After upgrading, thoroughly test your GeoServer instance to ensure that all functionalities are working as expected.
- Web Application Firewall (WAF): Consider implementing a Web Application Firewall (WAF) to provide an additional layer of security and filter out malicious requests. Configure the WAF with rules to detect and block XSS attacks.
