CVE-2023-25158: GeoTools SQL Injection Vulnerability

CVE-2023-25158 Overview

CVE-2023-25158 is a SQL injection vulnerability in GeoTools, an open source Java library for geospatial data processing. The flaw affects the library's Open Geospatial Consortium (OGC) Filter expression language parser when filters execute against JDBCDataStore implementations. Attackers can inject arbitrary SQL through crafted OGC Filter expressions, allowing unauthenticated remote exploitation against any application that exposes GeoTools filter evaluation to user input. The vulnerability is tracked as [CWE-89: SQL Injection] and affects downstream products such as GeoServer that embed GeoTools. The maintainers released fixed versions 27.4 and 28.2 to address the issue.

Critical Impact

Unauthenticated attackers can execute arbitrary SQL statements against backend databases, leading to data theft, data modification, and full database compromise.

Affected Products

• GeoTools versions prior to 27.4 (27.x branch)
• GeoTools versions prior to 28.2 (28.x branch)
• Applications embedding vulnerable GeoTools releases, including GeoServer deployments using JDBCDataStore

Discovery Timeline

• 2023-02-21 - CVE-2023-25158 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-25158

Vulnerability Analysis

GeoTools provides parsing, encoding, and execution support for OGC Filter expressions. These filters can be supplied through standards-based interfaces such as Web Feature Service (WFS) GetFeature requests. When the library translates filter expressions into SQL for execution against a JDBCDataStore, certain function arguments and property names are concatenated into the generated SQL without proper parameterization.

An attacker can craft an OGC Filter that abuses encoded functions to break out of the expected SQL context. The injected payload runs with the privileges of the database account configured for the data store. Impact includes reading arbitrary tables, modifying data, and in some database engines achieving command execution through database-specific features.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The encode functions code path for PostGIS and similar JDBC stores assembled SQL fragments via string concatenation rather than binding parameters through prepared statements. Filter inputs derived from network requests reached the SQL generator without sanitization.

Attack Vector

Exploitation requires only network access to an endpoint that evaluates OGC Filters against a JDBC-backed data store. No authentication or user interaction is required. The attacker submits a malicious filter expression — for example, through a WFS request — containing function arguments that terminate the intended SQL clause and append attacker-controlled statements. The vulnerability is described in the GitHub Security Advisory GHSA-99c3-qc2q-p94m and fixed by the GitHub commit 64fb4c4. No verified public proof-of-concept code is referenced in the source data, so technical specifics are described in prose rather than reproduced here.

Detection Methods for CVE-2023-25158

Indicators of Compromise

• WFS or OGC API requests containing SQL metacharacters such as single quotes, semicolons, or comment sequences within filter, propertyName, or function-argument parameters.
• Database audit log entries showing unexpected UNION, SELECT, or DDL statements originating from the application's database account.
• Outbound network connections or DNS lookups initiated by the database server, which can indicate out-of-band exfiltration through injected SQL.
• HTTP 500 responses from GeoTools or GeoServer endpoints correlated with malformed filter expressions.

Detection Strategies

• Inspect HTTP request bodies and query strings sent to GeoServer or other GeoTools-based services for OGC Filter payloads containing SQL keywords.
• Enable database query logging and alert on statements that reference system catalogs (pg_catalog, information_schema) from the GeoTools application identity.
• Run software composition analysis (SCA) against application dependencies to flag geotools:geotools versions below 27.4 or 28.2.

Monitoring Recommendations

• Forward web application and database logs to a centralized analytics platform for correlation between filter requests and database activity.
• Baseline normal OGC Filter request patterns and alert on deviations such as unusually long filters or non-spatial function calls.
• Track changes to authentication tables, user roles, and schema objects in databases reachable from GeoTools data stores.

How to Mitigate CVE-2023-25158

Immediate Actions Required

• Upgrade GeoTools to version 27.4, 28.2, or later across all deployed applications and dependent products such as GeoServer.
• Inventory all internal and internet-facing services that embed GeoTools and prioritize remediation for network-exposed instances.
• Restrict the database account used by JDBCDataStore to the minimum privileges required, removing DDL and superuser rights.

Patch Information

The GeoTools maintainers fixed the vulnerability in releases 27.4 and 28.2. The corrective change is documented in the GeoTools commit 64fb4c4 and the GHSA-99c3-qc2q-p94m advisory. Operators of downstream products should consult their vendor's release notes to identify the first patched build.

Workarounds

• Disable encode functions for PostGIS data stores in environments that cannot upgrade immediately.
• Enable prepared statements for JDBCDataStore configurations as a partial mitigation against injection.
• Place a web application firewall rule in front of GeoServer or similar services to reject OGC Filter parameters containing SQL metacharacters.
• Network-segment the database backing the data store so that exploitation cannot pivot to additional internal systems.

# Example: enable prepared statements for a GeoServer JDBCDataStore
# in the data store configuration XML
<entry key="preparedStatements">true</entry>
<entry key="encode functions">false</entry>