CVE-2024-36401 Overview
CVE-2024-36401 is an unauthenticated remote code execution vulnerability in GeoServer, an open source server for sharing and editing geospatial data. The flaw exists in the underlying GeoTools library, which evaluates property names as XPath expressions through the commons-jxpath library. Because XPath evaluation is incorrectly applied to simple feature types in addition to complex Application Schema feature types, every default GeoServer installation prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 is affected. Attackers can trigger code execution through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests. CISA added this CVE to its Known Exploited Vulnerabilities catalog.
Critical Impact
Unauthenticated attackers can execute arbitrary code on default GeoServer installations through standard OGC request parameters, leading to full server compromise.
Affected Products
- GeoServer versions prior to 2.22.6, 2.23.6, 2.24.4, and 2.25.2
- GeoTools library versions prior to the patched releases referenced in GHSA-w3pj-wh35-fq8w
- GeoTools 30.0 (including release candidates) and 31.0 (including release candidates)
Discovery Timeline
- 2024-07-01 - CVE-2024-36401 published to the National Vulnerability Database
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2024-36401
Vulnerability Analysis
The vulnerability is classified under [CWE-95] Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection) and [CWE-94] Improper Control of Generation of Code. GeoServer relies on the GeoTools library to resolve feature property names. GeoTools passes these names to the Apache commons-jxpath library, which evaluates them as XPath expressions and supports extension functions capable of invoking arbitrary Java methods. An attacker who controls a property name reaching this evaluator can execute arbitrary code under the GeoServer process identity.
The XPath evaluation path was designed for complex feature types served from Application Schema data stores. The implementation incorrectly routes simple feature types through the same evaluator, exposing every default installation. The EPSS data places this CVE in the top percentile of vulnerabilities most likely to be exploited, consistent with confirmed in-the-wild abuse.
Root Cause
The root cause is unsafe evaluation of attacker-controlled property names as JXPath expressions. The commons-jxpath library exposes extension function syntax that allows callers to invoke static Java methods such as Runtime.getRuntime().exec(...). GeoTools does not restrict the expression context or sanitize input before invoking JXPath, and GeoServer surfaces this evaluation across multiple OGC endpoints without authentication.
Attack Vector
The vulnerability is reachable over the network without credentials or user interaction. Attackers craft an OGC request that supplies a malicious XPath expression in place of a property name. Confirmed exploitation paths include WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests. The malicious property name is parsed as a JXPath expression, the extension function is resolved, and the chosen Java method executes on the server.
No verified public proof-of-concept code is included in this advisory. Refer to the GeoServer Security Advisory GHSA-6jj6-gm7p-fcvv and the GeoTools Security Advisory GHSA-w3pj-wh35-fq8w for vendor technical details.
Detection Methods for CVE-2024-36401
Indicators of Compromise
- HTTP requests to /geoserver/ows, /geoserver/wfs, /geoserver/wms, or /geoserver/wps containing JXPath extension function syntax such as exec(, Runtime.getRuntime, or ProcessBuilder in propertyName, valueReference, or typeNames parameters
- Child processes spawned by the Java process hosting GeoServer, including sh, bash, cmd.exe, powershell.exe, curl, or wget
- Outbound connections from the GeoServer host to unfamiliar IP addresses immediately following OGC requests
- New files written to GeoServer data directories or temporary paths shortly after WFS or WMS traffic
Detection Strategies
- Inspect web server and reverse proxy logs for OGC parameters containing parentheses, colons, or Java class references in property name fields
- Monitor process lineage from java processes running GeoServer and alert on shell or scripting interpreter children
- Apply WAF or IDS signatures matching JXPath extension function patterns inside OGC requests
- Correlate inbound OGC traffic with outbound egress to detect staged downloads of secondary payloads
Monitoring Recommendations
- Enable verbose access logging on the GeoServer servlet container and forward logs to a centralized analytics platform
- Baseline normal OGC parameter values per deployment so that anomalous property name structures stand out
- Track CISA KEV catalog updates and verify GeoServer hosts against the published patched versions
How to Mitigate CVE-2024-36401
Immediate Actions Required
- Upgrade GeoServer to 2.22.6, 2.23.6, 2.24.4, 2.25.2, or any later release that contains the fix
- Restrict network access to GeoServer management and OGC endpoints to trusted networks until patching is complete
- Audit GeoServer hosts for signs of prior exploitation given the CISA KEV listing
- Rotate any credentials, API keys, or tokens stored on compromised GeoServer instances
Patch Information
The GeoServer project shipped fixes in versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2. The underlying GeoTools fix is tracked in GeoTools Pull Request #4797 and OSGeo Issue GEOT-7587. Review the GeoServer Security Advisory GHSA-6jj6-gm7p-fcvv before deploying.
Workarounds
- Remove the gt-complex-x.y.jar file from the GeoServer installation, where x.y matches the GeoTools version in use (for example, gt-complex-31.1.jar for GeoServer 2.25.1)
- Validate that removing gt-complex does not break required Application Schema functionality before applying in production
- Place a web application firewall in front of GeoServer to block OGC parameters containing JXPath extension function syntax
- Consult the community workaround guidance for the related CVE-2022-41852 issue when removing JXPath capabilities from dependent applications
# Configuration example: remove the vulnerable gt-complex module (adjust version)
GEOSERVER_LIB_DIR="/opt/geoserver/webapps/geoserver/WEB-INF/lib"
GT_VERSION="31.1"
mv "${GEOSERVER_LIB_DIR}/gt-complex-${GT_VERSION}.jar" "/opt/geoserver/quarantine/"
systemctl restart geoserver
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
