Boolean-Based SQL Injection Vulnerability in MapServer by MapServer Organization
CVE-2025-59431

8.9HIGH

Key Information:

Vendor: Mapserver
Status: Mapserver
Vendor: CVE Published:; 19 September 2025

What is CVE-2025-59431?

MapServer is a platform for developing web-based Geographic Information System (GIS) applications. A vulnerability exists in versions prior to 8.4.1, specifically in the XML Filter Query directive known as PropertyName. An attacker can exploit this vulnerability through Boolean-based SQL injection, enabling the manipulation of backend database queries by bypassing expression checks with the use of double quote characters. A patch has been released in version 8.4.1 to address this issue.

Affected Version(s)

MapServer < 8.4.1

References

https://github.com/MapServer/MapServer/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2025
Vulnerability Reserved
Sep 15, 2025

CVE-2025-59431 Data

JSON

Mapserver

What is CVE-2025-59431?

Affected Version(s)

References

CVSS V4

Timeline