9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-36404

GHSA ID

GHSA-w3pj-wh35-fq8w

EPSS Score

0.99312%

CWE

CWE-95

Published

2/5/2025

Updated

2/5/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-36404

CVE-2024-36404: GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions

Summary

Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.

Details

The following methods pass XPath expressions to the commons-jxpath library which can execute arbitrary code and would be a security issue if the XPath expressions are provided by user input.

org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, String, Document)
org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, String, Document)
org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, String, Document)
org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get(Object, String, Class<T>)
org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.set(Object, String, Object, Class)
org.geotools.data.complex.expression.MapPropertyAccessorFactory.new PropertyAccessor() {...}.get(Object, String, Class<T>)
org.geotools.xsd.StreamingParser.StreamingParser(Configuration, InputStream, String)

PoC

The following inputs to StreamingParser will delay the response by five seconds:

        new org.geotools.xsd.StreamingParser(
                        new org.geotools.filter.v1_0.OGCConfiguration(),
                        new java.io.ByteArrayInputStream("<Filter></Filter>".getBytes()),
                        "java.lang.Thread.sleep(5000)")
                .parse();

Impact

This vulnerability can lead to executing arbitrary code.

Mitigation

GeoTools can operate with reduced functionality by removing the gt-complex jar from your application. As an example of the impact application schema datastore would not function without the ability to use XPath expressions to query complex content.

Miggo Vulnerability Database

→

CVE-2024-36404

CVE-2024-36404:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-36404

GHSA ID

GHSA-w3pj-wh35-fq8w

EPSS Score

0.99312%

CWE

CWE-95

Published

2/5/2025

Updated

2/5/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geotools:gt-app-schema	maven	>= 30.0, < 30.4	30.4
org.geotools:gt-complex	maven	>= 30.0, < 30.4	30.4
org.geotools.xsd:gt-xsd-core	maven	>= 30.0, < 30.4	30.4
org.geotools:gt-app-schema	maven	>= 31.0, < 31.2	31.2
org.geotools:gt-complex	maven	>= 31.0, < 31.2	31.2
org.geotools.xsd:gt-xsd-core	maven	>= 31.0, < 31.2	31.2
org.geotools:gt-app-schema	maven	>= 29.0, < 29.6	29.6
org.geotools:gt-complex	maven	>= 29.0, < 29.6	29.6
org.geotools.xsd:gt-xsd-core	maven	>= 29.0, < 29.6	29.6
org.geotools:gt-app-schema	maven	< 28.6	28.6
org.geotools:gt-complex	maven	< 28.6	28.6
org.geotools.xsd:gt-xsd-core	maven	< 28.6	28.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

These functions were explicitly listed in vulnerability details as passing user-controlled XPath to commons-jxpath. The commit diff shows they were modified to use JXPathUtils.newSafeContext (which disables functions), confirming their pre-patch vulnerability. The PoC demonstrates exploitation via StreamingParser constructor. All methods create JXPathContext instances without proper security controls, enabling CWE-95 eval injection via XPath expressions containing Java method calls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-36404: GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions

Summary

Details

PoC

Impact

Mitigation

CVE-2024-36404:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

9.8

9.8

Technical Details

CVE-2024-36404: GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions

Summary

Details

PoC

Impact

Mitigation

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI