6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-21621

GHSA ID

GHSA-w66h-j855-qr72

EPSS Score

CWE

CWE-79

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-21621

CVE-2025-21621: GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format

Summary

A reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters.

Details

The WMS service setting that controls HTML auto-escaping is either disabled by default, or completely missing, in the affected versions (see workarounds).

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

Perform any action within the application that the user can perform.
View any information that the user is able to view.
Modify any information that the user is able to modify.
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

Workarounds

Changing any of the following WMS service settings should mitigate this vulnerability in most environments:

Enable GetFeatureInfo HTML auto-escaping (available in GeoServer 2.21.3+ and 2.22.1+)
Disable dynamic styling
Disable GetFeatureInfo text/html MIME type

References

https://osgeo-org.atlassian.net/browse/GEOS-11297 https://github.com/geoserver/geoserver/pull/7406

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-21621

CVE-2025-21621:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-21621

GHSA ID

GHSA-w66h-j855-qr72

EPSS Score

CWE

CWE-79

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geoserver.web:gs-web-app	maven	< 2.25.0	2.25.0
org.geoserver:gs-wms	maven	< 2.25.0	2.25.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in GeoServer's WMS GetFeatureInfo HTML output format. The root cause is that HTML auto-escaping for the FreeMarker templates used to generate this output was disabled by default.

Analysis of the provided patch from pull request #7406, specifically commit 913f0d6e6bf9b09f3e93aa6bc9f33ed3cf976ef2, points directly to the vulnerable code. The changes are centered in src/wms/src/main/java/org/geoserver/wms/featureinfo/FreeMarkerTemplateManager.java.

The key identified vulnerable function is org.geoserver.wms.featureinfo.FreeMarkerTemplateManager.getTemplate. Before the patch, this function would only enable auto-escaping (templateConfig.setOutputFormat(HTMLOutputFormat.INSTANCE)) if a specific WMS setting (wms.isAutoEscapeTemplateValues()) was explicitly enabled. Since this setting was off by default, any GetFeatureInfo request that resulted in HTML output was vulnerable to XSS if user-provided data was reflected in the response.

A second critical function, org.geoserver.wms.featureinfo.HTMLFeatureInfoOutputFormat.write, is the entry point that handles the request and produces the vulnerable HTML. While the logical flaw was in getTemplate, the write function is the one that would be seen in a runtime profile as it orchestrates the entire process of generating the unsafe output. The associated test file confirms that outputFormat.write(...) is the method that triggers the vulnerable output generation.

Vulnerable functions

org.geoserver.wms.featureinfo.FreeMarkerTemplateManager.getTemplate

src/wms/src/main/java/org/geoserver/wms/featureinfo/FreeMarkerTemplateManager.java

This function is responsible for configuring FreeMarker templates for rendering GetFeatureInfo responses. The vulnerability existed because the code only enabled HTML auto-escaping when a specific configuration, `wms.isAutoEscapeTemplateValues()`, was true. This setting was disabled by default. As a result, when generating HTML output, FreeMarker's auto-escaping was not activated, allowing unescaped data from the request (such as the `SLD_BODY` parameter) to be rendered in the template. This created a reflected Cross-Site Scripting (XSS) vulnerability. The patch changes this logic to enable auto-escaping by default, thus mitigating the vulnerability.

org.geoserver.wms.featureinfo.HTMLFeatureInfoOutputFormat.write

src/wms/src/main/java/org/geoserver/wms/featureinfo/HTMLFeatureInfoOutputFormat.java

This function generates the final HTML output for a WMS GetFeatureInfo request. It uses the `FreeMarkerTemplateManager` to prepare and execute the template. Because the underlying `FreeMarkerTemplateManager.getTemplate` method failed to properly enable HTML auto-escaping by default, this `write` method would produce an HTML document containing unescaped, malicious user input. An attacker triggering the vulnerability would cause this function to be executed, and it would appear in any runtime profile or stack trace related to the exploit.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-21621: GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format

Summary

Details

Impact

Workarounds

References

CVE-2025-21621:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.1

6.1

Technical Details

CVE-2025-21621: GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format

Summary

Details

Impact

Workarounds

References

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI