XML External Entity Flaw in GeoServer by OSGeo

CVE-2025-58360

What is CVE-2025-58360?

CVE-2025-58360 is a vulnerability affecting GeoServer, an open-source server designed for sharing and editing geospatial data. The issue arises from an XML External Entity (XXE) flaw that impacts versions of GeoServer ranging from 2.26.0 to before 2.26.2 and 2.25.6. This vulnerability allows attackers to send specially crafted XML input to the server's /geoserver/wms operation GetMap endpoint. Due to insufficient sanitization of this input, an attacker could exploit the vulnerability by including external entities in the XML request, potentially leading to unauthorized data access or other malicious outcomes. GeoServer has addressed this vulnerability in later versions, specifically 2.25.6, 2.26.3, and 2.27.0.

Potential Impact of CVE-2025-58360

1. Data Leakage: The primary risk associated with CVE-2025-58360 is the potential for unauthorized access to sensitive geospatial data. Exploiting the XXE vulnerability could allow attackers to retrieve arbitrary files from the server, leading to information disclosure.

2. Denial of Service: Through specially crafted XML payloads, an attacker could trigger denial of service scenarios by overloading the server or causing it to crash, thereby disrupting services that depend on GeoServer for geospatial data access.

3. Increased Attack Surface: The presence of this vulnerability may create opportunities for further exploitation of the system, as attackers could use initial access gained via the XXE flaw to explore and compromise additional services or databases linked to the GeoServer instance.

References