Vulnerability-Lookup

CVE-2025-58360 (GCVE-0-2025-58360)

Vulnerability from cvelistv5 – Published: 2025-11-25 20:17 – Updated: 2025-12-12 04:55

CISA KEV

Title

GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature

Summary

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CWE

CWE-611 - Improper Restriction of XML External Entity Reference

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	geoserver	geoserver	Affected: >= 2.26.0, < 2.26.2 Affected: < 2.25.6

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 901d3b42-7081-48fa-ae64-bf9f22042429

Vulnerability ID: CVE-2025-58360

Status: Confirmed

Status Updated: 2025-12-11 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2025-12-11

Asserted: 2025-12-11

Scope

Notes: KEV entry: OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability | Affected: OSGeo / GeoServer | Description: OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2026-01-01 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 ; https://osgeo-org.atlassian.net/browse/GEOS-11922 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58360

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-611
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	GeoServer
Due Date	2026-01-01
Date Added	2025-12-11
Vendorproject	OSGeo
Vulnerabilityname	OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2025-58360

Created: 2026-02-02 12:25 UTC | Updated: 2026-02-02 12:25 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58360",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-10T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-12-11",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-12T04:55:42.921Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-12-11T00:00:00+00:00",
            "value": "CVE-2025-58360 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "geoserver",
          "vendor": "geoserver",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.26.0, \u003c 2.26.2"
            },
            {
              "status": "affected",
              "version": "\u003c 2.25.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-25T20:17:35.254Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"
        },
        {
          "name": "https://osgeo-org.atlassian.net/browse/GEOS-11682",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://osgeo-org.atlassian.net/browse/GEOS-11682"
        }
      ],
      "source": {
        "advisory": "GHSA-fjf5-xgmq-5525",
        "discovery": "UNKNOWN"
      },
      "title": "GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58360",
    "datePublished": "2025-11-25T20:17:35.254Z",
    "dateReserved": "2025-08-29T16:19:59.010Z",
    "dateUpdated": "2025-12-12T04:55:42.921Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-58360",
      "cwes": "[\"CWE-611\"]",
      "dateAdded": "2025-12-11",
      "dueDate": "2026-01-01",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 ; https://osgeo-org.atlassian.net/browse/GEOS-11922 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58360",
      "product": "GeoServer",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.",
      "vendorProject": "OSGeo",
      "vulnerabilityName": "OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-58360\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-25T21:15:56.363\",\"lastModified\":\"2025-12-12T13:54:01.187\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2025-12-11\",\"cisaActionDue\":\"2026-01-01\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.25.6\",\"matchCriteriaId\":\"929A415A-3926-49DE-855E-9363B5E495D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.26.0\",\"versionEndExcluding\":\"2.26.2\",\"matchCriteriaId\":\"58DCFD5D-914E-442F-AD07-C019C3BDDB2A\"}]}]}],\"references\":[{\"url\":\"https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://osgeo-org.atlassian.net/browse/GEOS-11682\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-58360\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-11T19:48:40.924988Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-12-11\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360\"}}}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-25T20:30:34.028Z\"}, \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-12-11T00:00:00+00:00\", \"value\": \"CVE-2025-58360 added to CISA KEV\"}]}], \"cna\": {\"title\": \"GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature\", \"source\": {\"advisory\": \"GHSA-fjf5-xgmq-5525\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"geoserver\", \"product\": \"geoserver\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.26.0, \u003c 2.26.2\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.25.6\"}]}], \"references\": [{\"url\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525\", \"name\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://osgeo-org.atlassian.net/browse/GEOS-11682\", \"name\": \"https://osgeo-org.atlassian.net/browse/GEOS-11682\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-25T20:17:35.254Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-58360\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-12T04:55:42.921Z\", \"dateReserved\": \"2025-08-29T16:19:59.010Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-25T20:17:35.254Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-58360

Vulnerability from fkie_nvd - Published: 2025-11-25 21:15 - Updated: 2025-12-12 13:54

CISA KEV

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525	Vendor Advisory
security-advisories@github.com	https://osgeo-org.atlassian.net/browse/GEOS-11682	Issue Tracking
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360	US Government Resource

Impacted products

	Vendor	Product	Version
	geoserver	geoserver	*
	geoserver	geoserver	*

JSON

To clipboard

{
  "cisaActionDue": "2026-01-01",
  "cisaExploitAdd": "2025-12-11",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "929A415A-3926-49DE-855E-9363B5E495D3",
              "versionEndExcluding": "2.25.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "58DCFD5D-914E-442F-AD07-C019C3BDDB2A",
              "versionEndExcluding": "2.26.2",
              "versionStartIncluding": "2.26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0."
    }
  ],
  "id": "CVE-2025-58360",
  "lastModified": "2025-12-12T13:54:01.187",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-11-25T21:15:56.363",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://osgeo-org.atlassian.net/browse/GEOS-11682"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2025-2676

Vulnerability from csaf_certbund - Published: 2025-11-25 23:00 - Updated: 2025-12-11 23:00

Summary

GeoServer: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

GeoServer ist ein Open-Source-Server zum Teilen von Geodaten.

Angriff

Ein Angreifer kann mehrere Schwachstellen in GeoServer ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, um Informationen offenzulegen, und um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "GeoServer ist ein Open-Source-Server zum Teilen von Geodaten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in GeoServer ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren, um Informationen offenzulegen, und um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-2676 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2676.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-2676 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2676"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2025-11-25",
        "url": "https://github.com/advisories/GHSA-w66h-j855-qr72"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2025-11-25",
        "url": "https://github.com/advisories/GHSA-fjf5-xgmq-5525"
      },
      {
        "category": "external",
        "summary": "CISA KEV: CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability vom 2025-12-11",
        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
      }
    ],
    "source_lang": "en-US",
    "title": "GeoServer: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-12-11T23:00:00.000+00:00",
      "generator": {
        "date": "2025-12-12T06:50:00.615+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2025-2676",
      "initial_release_date": "2025-11-25T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-11-25T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-12-11T23:00:00.000+00:00",
          "number": "2",
          "summary": "CVE-2025-58360 wird ausgenutzt"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.25.0",
                "product": {
                  "name": "Open Source GeoServer \u003c2.25.0",
                  "product_id": "T048892"
                }
              },
              {
                "category": "product_version",
                "name": "2.25.0",
                "product": {
                  "name": "Open Source GeoServer 2.25.0",
                  "product_id": "T048892-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:geoserver:geoserver:2.25.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.25.6",
                "product": {
                  "name": "Open Source GeoServer \u003c2.25.6",
                  "product_id": "T048893"
                }
              },
              {
                "category": "product_version",
                "name": "2.25.6",
                "product": {
                  "name": "Open Source GeoServer 2.25.6",
                  "product_id": "T048893-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:geoserver:geoserver:2.25.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.26.2",
                "product": {
                  "name": "Open Source GeoServer \u003c2.26.2",
                  "product_id": "T048894"
                }
              },
              {
                "category": "product_version",
                "name": "2.26.2",
                "product": {
                  "name": "Open Source GeoServer 2.26.2",
                  "product_id": "T048894-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:geoserver:geoserver:2.26.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "GeoServer"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-21621",
      "product_status": {
        "known_affected": [
          "T048892"
        ]
      },
      "release_date": "2025-11-25T23:00:00.000+00:00",
      "title": "CVE-2025-21621"
    },
    {
      "cve": "CVE-2025-58360",
      "product_status": {
        "known_affected": [
          "T048894",
          "T048893",
          "T048892"
        ]
      },
      "release_date": "2025-11-25T23:00:00.000+00:00",
      "title": "CVE-2025-58360"
    }
  ]
}

NCSC-2025-0393

Vulnerability from csaf_ncscnl - Published: 2025-12-12 08:12 - Updated: 2025-12-12 09:02

Summary

Kwetsbaarheid verholpen in GeoServer

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

OSGeo heeft een kwetsbaarheid verholpen in GeoServer.

Interpretaties

De kwetsbaarheid bevindt zich in de wijze waarop GeoServer XML-input verwerkt, specifiek via de `/geoserver/wms` GetMap-operatie. Onjuiste sanitatie van XML-input stelt aanvallers in staat om gevoelige bestanden openbaar te maken of Denial-of-Service-aanvallen uit te voeren met behulp van op maat gemaakte XML-input. Er zijn gevallen van actief misbruik van deze kwetsbaarheid bekend.

Oplossingen

OSGeo heeft updates uitgebracht om de kwetsbaarheid te verhelpen. In tegenstelling tot wat in de referentie staat adviseert het NCSC om te updaten naar versie 2.28.1, aangezien de genoemde versies in de advisory de kwetsbaarheid nog steeds bevatten.

Kans

medium

Schade

high

CWE-611

Improper Restriction of XML External Entity Reference

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "OSGeo heeft een kwetsbaarheid verholpen in GeoServer.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheid bevindt zich in de wijze waarop GeoServer XML-input verwerkt, specifiek via de `/geoserver/wms` GetMap-operatie. Onjuiste sanitatie van XML-input stelt aanvallers in staat om gevoelige bestanden openbaar te maken of Denial-of-Service-aanvallen uit te voeren met behulp van op maat gemaakte XML-input. Er zijn gevallen van actief misbruik van deze kwetsbaarheid bekend.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "OSGeo heeft updates uitgebracht om de kwetsbaarheid te verhelpen. In tegenstelling tot wat in de referentie staat adviseert het NCSC om te updaten naar versie 2.28.1, aangezien de genoemde versies in de advisory de kwetsbaarheid nog steeds bevatten.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Restriction of XML External Entity Reference",
        "title": "CWE-611"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"
      }
    ],
    "title": "Kwetsbaarheid verholpen in GeoServer",
    "tracking": {
      "current_release_date": "2025-12-12T09:02:27.681292Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0393",
      "initial_release_date": "2025-12-12T08:12:18.831044Z",
      "revision_history": [
        {
          "date": "2025-12-12T08:12:18.831044Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        },
        {
          "date": "2025-12-12T09:02:27.681292Z",
          "number": "1.0.1",
          "summary": "We hebben bericht ontvangen dat de genoemde versies in de GeoServer advisory onder \u0027Resolution\u0027 nog kwetsbaar zijn. Updaten naar de nieuwste versie 2.28.1 verhelpt voor zover bekend wel deze kwetsbaarheid."
        }
      ],
      "status": "final",
      "version": "1.0.1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "GeoServer"
          }
        ],
        "category": "vendor",
        "name": "GeoServer"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-58360",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "description",
          "text": "GeoServer versions 2.26.0 to 2.26.2 and 2.25.6 are vulnerable to an XML External Entity (XXE) attack via the `/geoserver/wms` GetMap operation due to insufficient XML input sanitization.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-58360 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-58360.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2025-58360"
    }
  ]
}

GHSA-FJF5-XGMQ-5525

Vulnerability from github – Published: 2025-11-25 19:07 – Updated: 2025-12-11 21:55

Summary

GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature

Details

Description

An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request.

An XML External Entity attack is a type of attack that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

By exploiting this vulnerability, an attacker can: - Read arbitrary files from the server's file system. - Conduct Server-Side Request Forgery (SSRF) to interact with internal systems. - Execute Denial of Service (DoS) attacks by exhausting resources.

Resolution

Update to GeoServer 2.25.6, GeoServer 2.26.3, or GeoServer 2.27.0.

Impact

The XXE vulnerability can be used to retrieve arbitrary files from the server's file system.

Reference

https://osgeo-org.atlassian.net/browse/GEOS-11682
XBOW-024-081

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Severity ?

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.26.0"
            },
            {
              "fixed": "2.26.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.26.0"
            },
            {
              "fixed": "2.26.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58360"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-25T19:07:05Z",
    "nvd_published_at": "2025-11-25T21:15:56Z",
    "severity": "HIGH"
  },
  "details": "## Description\n\nAn XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint ``/geoserver/wms`` operation ``GetMap``. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request.\n\nAn XML External Entity attack is a type of attack that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.\n\nBy exploiting this vulnerability, an attacker can:\n- Read arbitrary files from the server\u0027s file system.\n- Conduct Server-Side Request Forgery (SSRF) to interact with internal systems.\n- Execute Denial of Service (DoS) attacks by exhausting resources.\n\n## Resolution\n\nUpdate to GeoServer 2.25.6, GeoServer 2.26.3, or GeoServer 2.27.0.\n\n## Impact\n\nThe XXE vulnerability can be used to retrieve arbitrary files from the server\u0027s file system.\n\n## Reference\n\n* https://osgeo-org.atlassian.net/browse/GEOS-11682\n* XBOW-024-081\n\n## Disclaimer\n\nThis vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.",
  "id": "GHSA-fjf5-xgmq-5525",
  "modified": "2025-12-11T21:55:34Z",
  "published": "2025-11-25T19:07:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58360"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    },
    {
      "type": "WEB",
      "url": "https://osgeo-org.atlassian.net/browse/GEOS-11682"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-58360 (GCVE-0-2025-58360)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

FKIE_CVE-2025-58360

WID-SEC-W-2025-2676

NCSC-2025-0393

GHSA-FJF5-XGMQ-5525

Description

Resolution

Impact

Reference

Disclaimer

Tags

Sightings

Nomenclature