Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-58360

CVE-2025-58360: GeoServer XXE Vulnerability via WMS GetMap

CVE-2025-58360 is an XML External Entity vulnerability in GeoServer affecting versions 2.26.0-2.26.2 and before 2.25.6. Attackers can exploit the WMS GetMap endpoint to define external entities. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-58360 Overview

CVE-2025-58360 is an XML External Entity (XXE) vulnerability affecting GeoServer, an open source server that allows users to share and edit geospatial data. The vulnerability exists in versions 2.26.0 through 2.26.2 and versions prior to 2.25.6. The application accepts XML input through the /geoserver/wms endpoint during the GetMap operation, but this input is not sufficiently sanitized or restricted. This allows an attacker to define external entities within the XML request, potentially leading to information disclosure, server-side request forgery, or denial of service.

Critical Impact

This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities catalog. Unauthenticated attackers can exploit this XXE flaw remotely to access sensitive server files, perform SSRF attacks, or cause service disruption.

Affected Products

  • GeoServer versions 2.26.0 to before 2.26.2
  • GeoServer versions before 2.25.6
  • GeoServer versions before 2.27.0

Discovery Timeline

  • 2025-11-25 - CVE-2025-58360 published to NVD
  • 2025-12-12 - Last updated in NVD database

Technical Details for CVE-2025-58360

Vulnerability Analysis

This XXE vulnerability (CWE-611) resides in the WMS (Web Map Service) endpoint of GeoServer. The GetMap operation accepts XML-formatted requests that are not properly validated for external entity declarations. When the XML parser processes a maliciously crafted request containing external entity references, it can be tricked into fetching and disclosing sensitive local files, making outbound network requests to internal services, or exhausting system resources through entity expansion attacks.

The attack does not require authentication and can be executed remotely over the network. The vulnerability allows complete compromise of confidentiality, integrity, and availability of the affected system. Given that GeoServer instances are often deployed in enterprise environments with access to sensitive geospatial data, the potential impact is severe.

Root Cause

The root cause of this vulnerability is insufficient input sanitization in the XML parsing logic used by the WMS GetMap operation. The application fails to properly disable external entity resolution when processing user-supplied XML content. Specifically, the XML parser is not configured to prevent DOCTYPE declarations or external entity references, allowing attackers to inject malicious XML constructs that instruct the parser to retrieve external resources or local files.

Attack Vector

The attack is executed by sending a crafted HTTP request to the /geoserver/wms endpoint with a malicious XML payload containing external entity definitions. The attacker constructs an XML document with a DOCTYPE declaration that defines an external entity pointing to a local file (such as /etc/passwd) or an internal network resource. When the GeoServer XML parser processes this request, it resolves the external entity and includes its contents in the response or processes it server-side.

This vulnerability can be exploited to:

  • Read sensitive files from the server's file system
  • Perform Server-Side Request Forgery (SSRF) attacks against internal services
  • Cause denial of service through recursive entity expansion (billion laughs attack)
  • Exfiltrate data to attacker-controlled servers

The exploitation mechanism involves sending a POST request to the vulnerable endpoint with a crafted XML body containing a malicious DOCTYPE declaration. When the XML parser processes this document, it resolves the external entity reference, effectively reading the target file or making the specified network request. For detailed technical information, refer to the GitHub Security Advisory.

Detection Methods for CVE-2025-58360

Indicators of Compromise

  • Unusual HTTP POST requests to /geoserver/wms endpoint containing DOCTYPE declarations or ENTITY definitions
  • XML payloads containing <!DOCTYPE> declarations with external entity references in WMS requests
  • Outbound network connections from the GeoServer process to unexpected internal or external hosts
  • Error messages or logs indicating XML parsing errors related to entity resolution
  • Attempts to access sensitive files such as /etc/passwd, configuration files, or credentials

Detection Strategies

  • Deploy Web Application Firewall (WAF) rules to block XML requests containing DOCTYPE declarations or ENTITY definitions
  • Monitor GeoServer access logs for abnormal patterns in WMS GetMap requests, particularly those with large or malformed payloads
  • Implement network-level monitoring to detect unexpected outbound connections from GeoServer instances
  • Use intrusion detection systems (IDS) with signatures for common XXE attack patterns
  • Audit GeoServer logs for XML parsing exceptions or entity resolution failures

Monitoring Recommendations

  • Enable verbose logging for the WMS service to capture full request details
  • Set up alerts for any HTTP requests to GeoServer containing suspicious XML keywords like ENTITY, SYSTEM, or PUBLIC
  • Monitor file access patterns on the GeoServer host for unusual read operations on sensitive files
  • Implement network segmentation and monitor cross-segment traffic from GeoServer instances
  • Review CISA alerts and threat intelligence feeds for new exploitation techniques related to CVE-2025-58360

How to Mitigate CVE-2025-58360

Immediate Actions Required

  • Upgrade GeoServer to version 2.25.6, 2.26.3, or 2.27.0 immediately
  • If immediate patching is not possible, restrict network access to the /geoserver/wms endpoint
  • Deploy WAF rules to filter malicious XML payloads containing external entity references
  • Review GeoServer access logs for evidence of exploitation attempts
  • Consider temporarily disabling the WMS service if it is not critical to operations

Patch Information

GeoServer has released patched versions that address this vulnerability. Upgrade to one of the following versions:

  • GeoServer 2.25.6 - Patches the vulnerability for the 2.25.x branch
  • GeoServer 2.26.3 - Patches the vulnerability for the 2.26.x branch
  • GeoServer 2.27.0 - Contains the fix in the latest release

For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory and the OSGeo Issue Tracker Entry.

Workarounds

  • Configure network firewalls to restrict access to GeoServer endpoints from trusted networks only
  • Deploy a reverse proxy with XML filtering capabilities to strip or reject requests containing DOCTYPE declarations
  • If using Java-based XML processing, ensure the XML parser is configured with secure defaults that disable external entity resolution
  • Implement application-level input validation to reject XML requests with suspicious constructs
  • Consider network segmentation to isolate GeoServer instances from sensitive internal resources
bash
# Example: Restricting access to GeoServer WMS endpoint via iptables
# Allow only trusted IP ranges to access GeoServer on port 8080
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne