8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-58360

CVE-2025-58360: GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature

Description

An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request.

An XML External Entity attack is a type of attack that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

By exploiting this vulnerability, an attacker can:

Read arbitrary files from the server's file system.
Conduct Server-Side Request Forgery (SSRF) to interact with internal systems.
Execute Denial of Service (DoS) attacks by exhausting resources.

Resolution

Update to GeoServer 2.25.6, GeoServer 2.26.3, or GeoServer 2.27.0.

Impact

The XXE vulnerability can be used to retrieve arbitrary files from the server's file system.

Reference

https://osgeo-org.atlassian.net/browse/GEOS-11682
XBOW-024-081

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-58360

CVE-2025-58360:

8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geoserver.web:gs-web-app	maven	>= 2.26.0, < 2.26.2	2.26.2
org.geoserver:gs-wms	maven	>= 2.26.0, < 2.26.2	2.26.2
org.geoserver.web:gs-web-app	maven	< 2.25.6	2.25.6
org.geoserver:gs-wms	maven	< 2.25.6	2.25.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an XML External Entity (XXE) injection in the WMS GetMap operation of GeoServer. The analysis of the provided patches revealed that the vulnerability lies within the org.geoserver.sld.SLDXmlRequestReader class, specifically in the read method. This method is responsible for parsing the SLD (Styled Layer Descriptor) XML body provided in a POST request to the WMS endpoint. The patch commit feed622f2832d675d75d5b3924967596f75a0a2d shows that the call to the XML parser (styleParser.parse) was modified to include an EntityResolver. Previously, this argument was null, leading the parser to use a default configuration that allowed external entity resolution. The fix involves retrieving a secure EntityResolver from wms.getCatalog().getResourcePool().getEntityResolver() and passing it to the parser. This resolver is configured to disallow external entities, thus mitigating the XXE vulnerability. The exploitation of this vulnerability would involve this read function being called to process a malicious XML payload.

Vulnerable functions

org.geoserver.sld.SLDXmlRequestReader.read

src/wms/src/main/java/org/geoserver/sld/SLDXmlRequestReader.java

The 'read' method in SLDXmlRequestReader is responsible for parsing the XML payload of a WMS GetMap request. Before the patch, it called the XML parser without a secure EntityResolver, making it vulnerable to XML External Entity (XXE) attacks. The patch fixes this by obtaining a secure EntityResolver from the application's resource pool and passing it to the parser, which prevents the resolution of external entities.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-58360: GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature

Description

Resolution

Impact

Reference

Disclaimer

CVE-2025-58360:

8.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2025-58360: GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature

Description

Resolution

Impact

Reference

Disclaimer

8.2

8.2

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI