Overview
A high-severity XML External Entity (XXE) vulnerability, identified as CVE-2025-58360 Details, impacts GeoServer, the popular open-source server for sharing and editing geospatial data. This flaw, rated with a CVSS score of 8.2 (High), stems from insufficient sanitization and restriction of XML input within a specific endpoint. Attackers can leverage this vulnerability to define and resolve external entities, potentially leading to sensitive data disclosure, server-side request forgery (SSRF), or denial of service (DoS).
Technical Details
The vulnerability exists within GeoServer versions 2.26.0 to before 2.26.2 and before 2.25.6. Specifically, the application’s /geoserver/wms endpoint, when processing the GetMap operation, accepts XML input without adequately securing its XML parser configuration. An attacker can craft a malicious XML request that includes a Document Type Definition (DTD) with external entity declarations. When the GeoServer parser processes this input, it resolves these external entities, allowing the attacker to read arbitrary files from the server’s filesystem, initiate connections to internal or external network resources (SSRF), or trigger resource exhaustion via a ‘billion laughs’ attack. The inherent trust in XML input, coupled with a permissive parser configuration, creates a direct path for exploiting this classic XXE weakness. Exploitation requires a basic understanding of XXE attacks and the ability to send authenticated or unauthenticated requests to the vulnerable endpoint, depending on GeoServer’s specific deployment configuration.
Affected Systems
This XXE vulnerability affects GeoServer installations running the following versions:
- GeoServer versions from 2.26.0 up to, but not including, 2.26.2.
- GeoServer versions prior to 2.25.6.
Organizations operating these vulnerable GeoServer instances are at risk and must prioritize immediate action.
Remediation
Organizations using GeoServer must take immediate steps to mitigate the risk posed by CVE-2025-58360:
- Upgrade GeoServer: The most effective remediation is to upgrade to a patched version. The vulnerability has been addressed in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0. Prioritize upgrading to one of these or later stable releases.
- Secure XML Parsers: Implement secure XML parsing practices across all applications that handle XML input. This typically involves configuring XML parsers to disable DTD processing and external entity resolution by default. Specifically, disable support for external general entities, external parameter entities, and external DTDs.
- Input Validation: Implement stringent input validation and sanitization for all XML data received from untrusted sources. While not a primary fix for XXE, it adds a layer of defense.
- Network Segmentation: Restrict network access to GeoServer instances, particularly the WMS endpoint, to only trusted internal networks or specific IP addresses. This limits the attack surface.
