CVE-2024-36401: GeoServer XPath RCE Vulnerability

CVE-2024-36401 Overview

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

Critical Impact

This vulnerability allows unauthenticated remote code execution impacting all instances of GeoServer, leading to potential system control by attackers.

Affected Products

• GeoServer GeoServer
• GeoTools GeoTools
• Not Available

Discovery Timeline

• Not Available - Vulnerability discovered by Not Available
• Not Available - Responsible disclosure to geoserver
• Not Available - CVE CVE-2024-36401 assigned
• Not Available - geoserver releases security patch
• 2024-07-01 - CVE CVE-2024-36401 published to NVD
• 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2024-36401

Vulnerability Analysis

The GeoTools library API unsafely evaluates property/attribute names as XPath expressions, which may execute arbitrary code. This affects both simple and complex feature types in GeoServer.

Root Cause

Evaluating property names as XPath expressions without proper sanitization in the commons-jxpath library.

Attack Vector

Attackers can exploit remotely via network access using WFS and WMS requests.

// Example exploitation code (sanitized)
String xPathExpression = "document()";
jxpathContext.selectNodes(xPathExpression);

Detection Methods for CVE-2024-36401

Indicators of Compromise

• Unusual network requests to GeoServer endpoints
• Unexpected execution of Java processes
• Altered GeoServer configurations

Detection Strategies

Implement monitoring for suspicious or unusual patterns in GeoServer network traffic and execution logs. Use IDS/IPS solutions to detect common malicious payloads.

Monitoring Recommendations

Deploy real-time monitoring solutions such as SentinelOne that detect and block attempts to exploit this RCE vulnerability by analyzing network anomalies and process behaviors.

How to Mitigate CVE-2024-36401

Immediate Actions Required

• Update GeoServer to versions 2.22.6, 2.23.6, 2.24.4, or 2.25.2
• Remove vulnerable gt-complex-x.y.jar files
• Review and restrict GeoServer user access controls

Patch Information

Patches are available at GeoServer's official repository and should be applied immediately to mitigate this vulnerability.

Workarounds

Remove the gt-complex-x.y.jar file from GeoServer directories; consult the vendor's security advisory for full details.

# Configuration example
rm -f /path/to/geoserver/WEB-INF/lib/gt-complex-31.1.jar