XML External Entity Exploit in GeoServer and GeoNetwork by GeoTools
CVE-2025-30220

9.9CRITICAL

Key Information:

Vendor: Geoserver
Status: Geoserver
Vendor: CVE Published:; 10 June 2025

What is CVE-2025-30220?

GeoServer, an open source geospatial data server, is susceptible to an XML External Entity (XXE) vulnerability. This issue arises from the use of Eclipse XSD library within the GeoTools Schema class, which allows for potential exploitation when XML processing is improperly handled. Specifically, if a document includes a reference to an external XML schema, it can lead to sensitive data exposure or unauthorized access. Users of gt-xsd-core, responsible for document parsing, are particularly at risk if the EntityResolver is not properly configured. This vulnerability also affects users of the gt-wfs-ng DataStore, where the ENTITY_RESOLVER parameter is not utilized as intended. The problem has been addressed in several key updates to GeoTools and GeoServer, enhancing their security against such attacks.

Affected Version(s)

geoserver >= 2.27.0, < 2.27.1 < 2.27.0, 2.27.1

geoserver >= 2.26.0, < 2.26.3 < 2.26.0, 2.26.3

geoserver < 2.25.7 < 2.25.7

References

https://github.com/geoserver/geoserver/security/advisorie...

x_refsource_CONFIRM

https://github.com/geonetwork/core-geonetwork/security/ad...

x_refsource_MISC

https://github.com/geotools/geotools/security/advisories/...

x_refsource_MISC

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2025
Vulnerability Reserved
Mar 18, 2025

Geoserver

What is CVE-2025-30220?

Affected Version(s)

References

CVSS V3.1

Timeline