Platform
java
Component
org.geoserver.web:gs-web-app
Fixed in
2.27.1
2.26.1
2.25.8
2.27.1
CVE-2025-30220 describes an XML External Entity (XXE) injection vulnerability within the GeoServer Web Feature Service (WFS). This flaw allows attackers to trigger the parsing of external DTDs and entities, bypassing entity resolvers. The vulnerability impacts GeoServer versions 2.27.0 and earlier. A patch is available in version 2.27.1.
Successful exploitation of CVE-2025-30220 can lead to significant data exposure and unauthorized access. Attackers can leverage the XXE injection to perform Out-of-Band (OOB) data exfiltration, potentially revealing sensitive local files accessible by the GeoServer process. Furthermore, this vulnerability enables Service Side Request Forgery (SSRF), allowing attackers to make requests to internal resources on behalf of the GeoServer, potentially compromising other systems within the network. The ability to read local files and perform SSRF significantly expands the attack surface and potential impact.
CVE-2025-30220 was publicly disclosed on 2025-06-10. The vulnerability is related to GeoTools CVE-2025-30220. Currently, there are no confirmed reports of active exploitation, but the availability of a public proof-of-concept increases the risk. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation.
Exploit Status
EPSS
8.39% (92% percentile)
CISA SSVC
CVSS Vector
Exploitation detected
NextGuard recorded active exploitation indicators in public threat intel feeds.
The primary mitigation for CVE-2025-30220 is to upgrade GeoServer to version 2.27.1 or later, which includes the fix for this vulnerability. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict network access to the GeoServer instance to limit the potential impact of SSRF attacks. Review and strengthen XML parsing configurations, ensuring that entity resolution is properly restricted and that any allowlists are strictly enforced. Monitor GeoServer logs for suspicious activity related to XML parsing and external entity resolution.
Update GeoTools to version 33.1, 32.3, 31.7, or 28.6.1 or later. If you are using GeoServer, update to version 2.27.1, 2.26.3, or 2.25.7 or later. If you are using GeoNetwork, update to version 4.4.8 or 4.2.13 or later. This corrects the XXE vulnerability in XSD schema processing.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30220 is a HIGH severity XXE injection vulnerability affecting GeoServer versions 2.27.0 and earlier, allowing attackers to exfiltrate local files and perform SSRF.
You are affected if you are running GeoServer versions 2.27.0 or earlier. Upgrade to 2.27.1 or later to mitigate the risk.
Upgrade GeoServer to version 2.27.1 or later. As a temporary workaround, restrict network access and strengthen XML parsing configurations.
While there are no confirmed reports of active exploitation, the availability of a public proof-of-concept increases the risk.
Refer to the official GeoServer security advisory for detailed information and updates: [https://geoserver.org/security/](https://geoserver.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.