Plattform
java
Komponente
org.geoserver.web:gs-web-app
Behoben in
2.27.1
2.26.1
2.25.8
2.27.1
CVE-2025-30220 describes an XML External Entity (XXE) injection vulnerability within the GeoServer Web Feature Service (WFS). This flaw allows attackers to trigger the parsing of external DTDs and entities, bypassing entity resolvers. The vulnerability impacts GeoServer versions 2.27.0 and earlier. A patch is available in version 2.27.1.
Successful exploitation of CVE-2025-30220 can lead to significant data exposure and unauthorized access. Attackers can leverage the XXE injection to perform Out-of-Band (OOB) data exfiltration, potentially revealing sensitive local files accessible by the GeoServer process. Furthermore, this vulnerability enables Service Side Request Forgery (SSRF), allowing attackers to make requests to internal resources on behalf of the GeoServer, potentially compromising other systems within the network. The ability to read local files and perform SSRF significantly expands the attack surface and potential impact.
CVE-2025-30220 was publicly disclosed on 2025-06-10. The vulnerability is related to GeoTools CVE-2025-30220. Currently, there are no confirmed reports of active exploitation, but the availability of a public proof-of-concept increases the risk. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation.
Organizations utilizing GeoServer for geospatial data serving, particularly those with publicly accessible WFS endpoints, are at risk. Environments with legacy GeoServer configurations or those lacking robust network segmentation are especially vulnerable. Shared hosting environments where multiple users share the same GeoServer instance also face increased risk.
• linux / server:
journalctl -u geoserver -g "XML External Entity"• java / supply-chain:
Inspect GeoServer configuration files for any custom XML parsing configurations that might bypass entity resolution restrictions.
• generic web:
Use curl to test WFS endpoints with specially crafted XML payloads containing external entity references. Monitor response headers for signs of OOB data exfiltration (e.g., DNS requests to unexpected domains).
disclosure
added to KEV
Exploit-Status
EPSS
8.39% (92% Perzentil)
CISA SSVC
CVSS-Vektor
Ausnutzung erkannt
NextGuard hat Indikatoren für aktive Ausnutzung in öffentlichen Feeds erfasst.
The primary mitigation for CVE-2025-30220 is to upgrade GeoServer to version 2.27.1 or later, which includes the fix for this vulnerability. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict network access to the GeoServer instance to limit the potential impact of SSRF attacks. Review and strengthen XML parsing configurations, ensuring that entity resolution is properly restricted and that any allowlists are strictly enforced. Monitor GeoServer logs for suspicious activity related to XML parsing and external entity resolution.
Aktualisieren Sie GeoTools auf Version 33.1, 32.3, 31.7 oder 28.6.1 oder höher. Wenn Sie GeoServer verwenden, aktualisieren Sie auf Version 2.27.1, 2.26.3 oder 2.25.7 oder höher. Wenn Sie GeoNetwork verwenden, aktualisieren Sie auf Version 4.4.8 oder 4.2.13 oder höher. Dies behebt die XXE-Schwachstelle bei der Verarbeitung von XSD-Schemas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-30220 is a HIGH severity XXE injection vulnerability affecting GeoServer versions 2.27.0 and earlier, allowing attackers to exfiltrate local files and perform SSRF.
You are affected if you are running GeoServer versions 2.27.0 or earlier. Upgrade to 2.27.1 or later to mitigate the risk.
Upgrade GeoServer to version 2.27.1 or later. As a temporary workaround, restrict network access and strengthen XML parsing configurations.
While there are no confirmed reports of active exploitation, the availability of a public proof-of-concept increases the risk.
Refer to the official GeoServer security advisory for detailed information and updates: [https://geoserver.org/security/](https://geoserver.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.