Improper URI Validation in GeoServer by GeoTools
CVE-2024-34711

9.3CRITICAL

Key Information:

Vendor: Geoserver
Status: Geoserver
Vendor: CVE Published:; 10 June 2025

What is CVE-2024-34711?

GeoServer, an open-source platform for sharing and editing geospatial data, has a vulnerability due to improper URI validation that can be exploited through XML External Entities (XEE) attacks. This flaw allows unauthorized attackers to craft specially designed requests that could interact with any HTTP server. Although GeoServer utilizes the PreventLocalEntityResolver class from GeoTools to safeguard against malicious URIs, the validation regex does not adequately block certain attack vectors. As a result, attackers can use this vulnerability to scan internal networks, potentially leading to the revelation of sensitive information, further escalating their foothold on the compromised systems. It is crucial to ensure proper configurations to manage entity resolution effectively.

Affected Version(s)

geoserver < 2.25.0

References

https://github.com/geoserver/geoserver/security/advisorie...

x_refsource_CONFIRM

https://docs.geoserver.org/latest/en/user/production/conf...

x_refsource_MISC

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2025
Vulnerability Reserved
May 7, 2024

Geoserver

What is CVE-2024-34711?

Affected Version(s)

References

CVSS V3.1

Timeline