cbcvebase.
CVE-2025-30220
published 2025-06-10

CVE-2025-30220: GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema…

PriorityP188critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
50.82%
98.8th percentile
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

Affected

12 ranges
VendorProductVersion rangeFixed in
geoservergeoserver< 2.25.72.25.7
geoservergeoserver
geoservergeoserver
geotoolsgeotools< 28.6.128.6.1
geotoolsgeotools
geotoolsgeotools>= 29.0 < 31.731.7
geotoolsgeotools>= 32.0 < 32.332.3
osgeogeonetwork>= 4.2.0 < 4.2.134.2.13
osgeogeonetwork>= 4.4.0 < 4.4.84.4.8
osgeogeoserver< 2.25.72.25.7
osgeogeoserver
osgeogeoserver>= 2.26.0 < 2.26.32.26.3

Detection & IOCsextracted from sources · hover to see the quote

url/geoserver/wfs?service=WFS&request=GetCapabilities
url/geoserver/ows?service=WFS&request=GetCapabilities
url/wfs?service=WFS&request=GetCapabilities
url/ows?service=WFS&request=GetCapabilities
url/geoserver/wfs?service=WFS
url/geoserver/ows?service=WFS
url/wfs?service=WFS
url/ows?service=WFS
  • Probe for GeoServer WFS capability endpoint by sending GET request and matching response body containing 'wfs:WFS_Capabilities', content-type 'application/xml', and HTTP 200 status.
  • Exploit confirmation: POST an XXE payload to the WFS endpoint and detect successful OOB interaction via interactsh DNS callback combined with HTTP 200 response.
  • Error string 'java.lang.NullPointerException' in the WFS POST response body is an indicator of successful XXE trigger in vulnerable GeoServer versions.
  • Use Shodan query 'title:"geoserver"' or HTML hash '1093634893' or favicon hash '97540678' to identify exposed GeoServer instances for targeted scanning.
  • Use FOFA queries 'title="geoserver"', 'app="geoserver"', 'icon_hash="97540678"', or 'body="/geoserver/"' to enumerate internet-facing GeoServer instances.
  • The attack is unauthenticated (PR:N) and network-reachable (AV:N), targeting the WFS endpoint via a crafted XML POST body with an external entity reference pointing to an attacker-controlled OOB server.
  • ·The gt-xsd-core Schemas class does not use the EntityResolver configured via ParserHandler, meaning even deployments that set an EntityResolver may still be vulnerable until patched.
  • ·The ENTITY_RESOLVER connection parameter in gt-wfs-ng DataStore was not being applied as intended, so WFS-NG DataStore users relying on this parameter for XXE mitigation are not protected.
  • ·Vulnerability is triggered when XML documents carry a reference to an external XML schema, not just arbitrary external entities — scope includes any XML processing path involving gt-xsd-core.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.