ghsa-jj54-8f66-c5pc
Vulnerability from github
Published
2025-06-10 20:10
Modified
2025-06-10 20:10
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Summary
[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
Details

Summary

GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.

It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).

Details

While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation.

This bypasses GeoServer's AllowListEntityResolver enabling XXE attacks.

PoC

No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service.

Impact

  • Information Disclosure:

This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem that are accessible to the GeoServer process.

This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication, making it particularly severe.

  • Server-Side Request Forgery (SSRF)

The mechanism inherently allows forcing GeoServer to make HTTP requests to arbitrary URLs, enabling SSRF attacks against internal network resources

References

Acknowledgements

This vulnerability was initially reported via an automated tool described below. Subsequently a duplicate report via @YacineF, and their patience working with the GeoServer project, was instrumental finding in escalating this issue and determining a resolution.

XBOW-025-068 Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.27.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.27.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.27.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.27.0"
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.26.0"
            },
            {
              "fixed": "2.26.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.26.0"
            },
            {
              "fixed": "2.26.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.25.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.25.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T20:10:06Z",
    "nvd_published_at": "2025-06-10T16:15:37Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nGeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.\n\nIt is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers.  This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).\n\n## Details\n\nWhile direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation.\n\nThis bypasses GeoServer\u0027s AllowListEntityResolver enabling XXE attacks.\n\n## PoC\n\nNo public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service.\n\n## Impact\n\n* Information Disclosure: \n\n  This vulnerability allows unauthenticated attackers to read arbitrary files from the server\u0027s filesystem that are accessible to the GeoServer process.\n  \n  This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication, making it particularly severe.\n\n* Server-Side Request Forgery (SSRF) \n  \n  The mechanism inherently allows forcing GeoServer to make HTTP requests to arbitrary URLs, enabling SSRF attacks against internal network resources \n\n## References\n\n* [CVE-2025-30220](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw) XML External Entity (XXE) Processing Vulnerability in XSD schema handling\n* [External Entities Resolution](https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) (GeoServer User Manual)\n\n## Acknowledgements\n\nThis vulnerability was initially reported via an automated tool described below. Subsequently a duplicate report via @YacineF, and their patience working with the GeoServer project, was instrumental finding in escalating this issue and determining a resolution.\n\n### XBOW-025-068 Disclaimer\n\nThis vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.",
  "id": "GHSA-jj54-8f66-c5pc",
  "modified": "2025-06-10T20:10:07Z",
  "published": "2025-06-10T20:10:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30220"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/pull/8757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/pull/8803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/pull/8812"
    },
    {
      "type": "WEB",
      "url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.