9.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-34711

GHSA ID

GHSA-mc43-4fqr-c965

EPSS Score

0.10905%

CWE

CWE-20

Published

6/10/2025

Updated

6/10/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-34711

CVE-2024-34711: GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)

Summary

An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. Attacker can abuse this to scan internal networks and gain information about them then exploit further. Moreover, attacker can read limited .xsd file on system.

Details

By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file.

Impact

An unauthenticated attacker can:

Scan internal network to gain insight about it and exploit further.
SSRF to endpoint ends with .xsd.
Read limited .xsd file on system.

Mitigation

Define the system property ENTITY_RESOLUTION_ALLOWLIST to limit the supported external schema locaitons.
The built-in allow list covers the locations required for the operation of OGC web services: www.w3.org,schemas.opengis.net,www.opengis.net,inspire.ec.europa.eu/schemas.
The user guide provides details on how to add additional locations (this is required for app-schema plugin where a schema is supplied to define an output format).

Resolution

GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.
The use of ENTITY_RESOLUTION_ALLOWLIST is still supported if you require additional schema locations to be supported beyond the built-in allow list.
GeoServer 2.25.1 change ENTITY_RESOLUTION_ALLOWLIST no longer supports regular expressions

References

External Entities Resolution (GeoServer User Guide)

Credits

Le Mau Anh Phong from VNG Security Response Center & VNUHCM - University of Information Technology

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-34711

CVE-2024-34711:

9.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-34711

GHSA ID

GHSA-mc43-4fqr-c965

EPSS Score

0.10905%

CWE

CWE-20

Published

6/10/2025

Updated

6/10/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geoserver.web:gs-web-app	maven	< 2.25.0	2.25.0
org.geoserver.main:gs-main	maven	< 2.25.0	2.25.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The root cause of the vulnerability is an improper URI validation regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd within the org.geotools.util.PreventLocalEntityResolver class, part of the GeoTools library. This regex allows an attacker to specify arbitrary HTTP URLs (ending in .xsd) or certain file URIs for XML external entities, leading to SSRF and potential local file access.

GeoServer's vulnerability (CVE-2024-34711 / GHSA-mc43-4fqr-c965) stemmed from its default behavior of using this vulnerable PreventLocalEntityResolver when no ENTITY_RESOLUTION_ALLOWLIST system property was configured or if it was left empty. The GeoServer functions org.geoserver.util.EntityResolverProvider.entityResolutionAllowlist() and org.geoserver.util.EntityResolverProvider.getEntityResolver() were responsible for this default selection.

The patch (commit 87a73326940da64fd56b888a8c2785d868b87b7a) mitigates this by changing GeoServer's default. It ensures that EntityResolverProvider.entityResolutionAllowlist() now returns a predefined, safe list of allowed domains (W3C, OGC, Inspire schemas) if the ENTITY_RESOLUTION_ALLOWLIST property is not set. Consequently, EntityResolverProvider.getEntityResolver() now defaults to using org.geoserver.util.AllowListEntityResolver (which consumes this safe list) instead of the vulnerable PreventLocalEntityResolver.

During exploitation in a vulnerable version, a request with a malicious XML payload would cause the XML parser to invoke org.geotools.util.PreventLocalEntityResolver.resolveEntity(...). This function would then apply the flawed regex, allowing the SSRF or file access. The GeoServer EntityResolverProvider methods would appear earlier in the call stack related to setting up the XML parser's entity resolution strategy.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-34711: GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)

Summary

Details

Impact

Mitigation

Resolution

References

Credits

CVE-2024-34711:

9.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

9.3

9.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-34711: GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)

Summary

Details

Impact

Mitigation

Resolution

References

Credits

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI