Plataforma
java
Componente
org.geoserver.web:gs-web-app
Corregido en
2.27.1
2.26.1
2.25.8
2.27.1
CVE-2025-30220 describes an XML External Entity (XXE) injection vulnerability within the GeoServer Web Feature Service (WFS). This flaw allows attackers to trigger the parsing of external DTDs and entities, bypassing entity resolvers. The vulnerability impacts GeoServer versions 2.27.0 and earlier. A patch is available in version 2.27.1.
Successful exploitation of CVE-2025-30220 can lead to significant data exposure and unauthorized access. Attackers can leverage the XXE injection to perform Out-of-Band (OOB) data exfiltration, potentially revealing sensitive local files accessible by the GeoServer process. Furthermore, this vulnerability enables Service Side Request Forgery (SSRF), allowing attackers to make requests to internal resources on behalf of the GeoServer, potentially compromising other systems within the network. The ability to read local files and perform SSRF significantly expands the attack surface and potential impact.
CVE-2025-30220 was publicly disclosed on 2025-06-10. The vulnerability is related to GeoTools CVE-2025-30220. Currently, there are no confirmed reports of active exploitation, but the availability of a public proof-of-concept increases the risk. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation.
Organizations utilizing GeoServer for geospatial data serving, particularly those with publicly accessible WFS endpoints, are at risk. Environments with legacy GeoServer configurations or those lacking robust network segmentation are especially vulnerable. Shared hosting environments where multiple users share the same GeoServer instance also face increased risk.
• linux / server:
journalctl -u geoserver -g "XML External Entity"• java / supply-chain:
Inspect GeoServer configuration files for any custom XML parsing configurations that might bypass entity resolution restrictions.
• generic web:
Use curl to test WFS endpoints with specially crafted XML payloads containing external entity references. Monitor response headers for signs of OOB data exfiltration (e.g., DNS requests to unexpected domains).
disclosure
added to KEV
Estado del Exploit
EPSS
8.39% (92% percentil)
CISA SSVC
Vector CVSS
Explotación detectada
NextGuard registró indicadores de explotación activa en feeds públicos de inteligencia.
The primary mitigation for CVE-2025-30220 is to upgrade GeoServer to version 2.27.1 or later, which includes the fix for this vulnerability. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict network access to the GeoServer instance to limit the potential impact of SSRF attacks. Review and strengthen XML parsing configurations, ensuring that entity resolution is properly restricted and that any allowlists are strictly enforced. Monitor GeoServer logs for suspicious activity related to XML parsing and external entity resolution.
Actualice GeoTools a la versión 33.1, 32.3, 31.7 o 28.6.1 o superior. Si está utilizando GeoServer, actualice a la versión 2.27.1, 2.26.3 o 2.25.7 o superior. Si está utilizando GeoNetwork, actualice a la versión 4.4.8 o 4.2.13 o superior. Esto corrige la vulnerabilidad XXE en el procesamiento de esquemas XSD.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-30220 is a HIGH severity XXE injection vulnerability affecting GeoServer versions 2.27.0 and earlier, allowing attackers to exfiltrate local files and perform SSRF.
You are affected if you are running GeoServer versions 2.27.0 or earlier. Upgrade to 2.27.1 or later to mitigate the risk.
Upgrade GeoServer to version 2.27.1 or later. As a temporary workaround, restrict network access and strengthen XML parsing configurations.
While there are no confirmed reports of active exploitation, the availability of a public proof-of-concept increases the risk.
Refer to the official GeoServer security advisory for detailed information and updates: [https://geoserver.org/security/](https://geoserver.org/security/)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo pom.xml y te decimos al instante si estás afectado.