CVE-2025-30220 Overview
CVE-2025-30220 is a critical XML External Entity (XXE) vulnerability affecting GeoServer, GeoTools, and GeoNetwork—widely deployed open source platforms for sharing and editing geospatial data. The vulnerability exists in the GeoTools Schema class, which uses the Eclipse XSD library to represent schema data structures. The gt-xsd-core Schemas class fails to properly use the EntityResolver provided by the ParserHandler, even when one is configured, enabling attackers to exploit XXE when processing XML documents that reference external XML schemas.
This flaw also impacts users of the gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being utilized as intended, further expanding the attack surface for organizations relying on Web Feature Service (WFS) functionality.
Critical Impact
Remote attackers can exploit this XXE vulnerability to read sensitive files from affected servers and cause denial of service conditions without authentication, potentially exposing confidential geospatial data and disrupting critical mapping infrastructure.
Affected Products
- GeoTools versions prior to 33.1, 32.3, 31.7, and 28.6.1
- GeoServer versions prior to 2.27.1, 2.26.3, and 2.25.7
- GeoNetwork versions prior to 4.4.8 and 4.2.13
Discovery Timeline
- 2025-06-10 - CVE-2025-30220 published to NVD
- 2025-08-26 - Last updated in NVD database
Technical Details for CVE-2025-30220
Vulnerability Analysis
This XXE vulnerability stems from improper configuration of the XML parsing components within the GeoTools library. When the gt-xsd-core module processes XML documents containing references to external schemas, the Schemas class does not honor the EntityResolver that may have been configured in the ParserHandler. This architectural flaw means that even when administrators have properly configured entity resolution restrictions, the protection is bypassed during schema processing.
The vulnerability enables two primary attack scenarios: confidential data exfiltration through external entity references to local files, and denial of service through entity expansion attacks or references to unreachable external resources. Since GeoServer and GeoNetwork are commonly deployed as internet-facing services for sharing geospatial data, the network-accessible attack vector significantly increases the risk exposure.
The gt-wfs-ng DataStore component compounds this issue by not properly utilizing the ENTITY_RESOLVER connection parameter, meaning WFS endpoints that rely on this configuration are also vulnerable despite ostensibly being protected.
Root Cause
The root cause is CWE-611: Improper Restriction of XML External Entity Reference. The gt-xsd-core Schemas class implementation fails to properly propagate EntityResolver configurations to the underlying Eclipse XSD library during XML parsing operations. This results in the XML parser accepting and processing external entity declarations even when security controls are intended to prevent such behavior.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious XML documents containing external entity references and submit them to any endpoint that processes XML through the affected GeoTools components. When the vulnerable parser processes these documents, it will resolve external entities, potentially reading local files from the server's filesystem or making outbound network connections to attacker-controlled resources.
The vulnerability mechanism involves crafting XML documents with DOCTYPE declarations containing external entity references. When these documents are processed by affected GeoServer, GeoTools, or GeoNetwork instances, the parser resolves the entities without proper restriction. This can be used to exfiltrate files like /etc/passwd, configuration files containing credentials, or cause denial of service by referencing extremely large files or slow-responding external URLs. For detailed technical information, see the GeoTools Security Advisory and GeoServer Security Advisory.
Detection Methods for CVE-2025-30220
Indicators of Compromise
- Unusual outbound network connections from GeoServer/GeoNetwork instances to external hosts
- Web server logs showing XML requests with suspicious DOCTYPE declarations or ENTITY references
- Error logs containing references to file access attempts for system files like /etc/passwd or Windows system files
- Unexplained timeouts or resource exhaustion in XML processing services
Detection Strategies
- Monitor and alert on XML requests containing <!DOCTYPE or <!ENTITY declarations in request bodies
- Implement network segmentation monitoring to detect GeoServer instances making unexpected outbound connections
- Deploy Web Application Firewall (WAF) rules to inspect and block XML payloads with external entity patterns
- Review application logs for XML parsing errors that may indicate exploitation attempts
Monitoring Recommendations
- Enable detailed logging for XML processing operations in GeoServer and GeoNetwork configurations
- Set up alerting for any file access patterns from the GeoServer process that target sensitive system files
- Monitor CPU and memory utilization on GeoServer hosts to detect entity expansion denial of service attempts
- Implement network traffic analysis to identify data exfiltration patterns from geospatial infrastructure
How to Mitigate CVE-2025-30220
Immediate Actions Required
- Update GeoTools to version 33.1, 32.3, 31.7, or 28.6.1 depending on your version branch
- Upgrade GeoServer to version 2.27.1, 2.26.3, or 2.25.7 as appropriate for your deployment
- Upgrade GeoNetwork to version 4.4.8 or 4.2.13
- Review and restrict network access to GeoServer instances while patching is in progress
- Audit logs for evidence of prior exploitation attempts
Patch Information
Security patches have been released across all affected product lines. The fixes ensure that the EntityResolver configuration is properly utilized during XML schema processing. Organizations should update to the following fixed versions:
- GeoTools: 33.1, 32.3, 31.7, or 28.6.1
- GeoServer: 2.27.1, 2.26.3, or 2.25.7
- GeoNetwork: 4.4.8 or 4.2.13
For detailed patch information, review the vendor security advisories: GeoTools Advisory, GeoServer Advisory, and GeoNetwork Advisory.
Workarounds
- Implement WAF rules to block XML requests containing external entity declarations
- Place GeoServer instances behind a reverse proxy that sanitizes XML input
- Restrict network egress from GeoServer hosts to prevent data exfiltration
- Consult the GeoServer Production Configuration Guide for additional hardening recommendations
# Example: Restrict outbound connections from GeoServer using iptables
# Limit egress traffic to only required services while patching
iptables -A OUTPUT -m owner --uid-owner geoserver -j DROP
# Allow only specific required outbound connections
iptables -I OUTPUT -m owner --uid-owner geoserver -d trusted-host.example.com -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
