CVE-2025-30220
published 2025-06-10CVE-2025-30220: GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema…
PriorityP188critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
50.82%
98.8th percentile
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | geoserver | < 2.25.7 | 2.25.7 |
| geoserver | geoserver | — | — |
| geoserver | geoserver | — | — |
| geotools | geotools | < 28.6.1 | 28.6.1 |
| geotools | geotools | — | — |
| geotools | geotools | >= 29.0 < 31.7 | 31.7 |
| geotools | geotools | >= 32.0 < 32.3 | 32.3 |
| osgeo | geonetwork | >= 4.2.0 < 4.2.13 | 4.2.13 |
| osgeo | geonetwork | >= 4.4.0 < 4.4.8 | 4.4.8 |
| osgeo | geoserver | < 2.25.7 | 2.25.7 |
| osgeo | geoserver | — | — |
| osgeo | geoserver | >= 2.26.0 < 2.26.3 | 2.26.3 |
Detection & IOCsextracted from sources · hover to see the quote
url/geoserver/wfs?service=WFS&request=GetCapabilities
url/geoserver/ows?service=WFS&request=GetCapabilities
url/wfs?service=WFS&request=GetCapabilities
url/ows?service=WFS&request=GetCapabilities
url/geoserver/wfs?service=WFS
url/geoserver/ows?service=WFS
url/wfs?service=WFS
url/ows?service=WFS
- →Probe for GeoServer WFS capability endpoint by sending GET request and matching response body containing 'wfs:WFS_Capabilities', content-type 'application/xml', and HTTP 200 status.
- →Exploit confirmation: POST an XXE payload to the WFS endpoint and detect successful OOB interaction via interactsh DNS callback combined with HTTP 200 response.
- →Error string 'java.lang.NullPointerException' in the WFS POST response body is an indicator of successful XXE trigger in vulnerable GeoServer versions.
- →Use Shodan query 'title:"geoserver"' or HTML hash '1093634893' or favicon hash '97540678' to identify exposed GeoServer instances for targeted scanning.
- →Use FOFA queries 'title="geoserver"', 'app="geoserver"', 'icon_hash="97540678"', or 'body="/geoserver/"' to enumerate internet-facing GeoServer instances.
- →The attack is unauthenticated (PR:N) and network-reachable (AV:N), targeting the WFS endpoint via a crafted XML POST body with an external entity reference pointing to an attacker-controlled OOB server.
- ·The gt-xsd-core Schemas class does not use the EntityResolver configured via ParserHandler, meaning even deployments that set an EntityResolver may still be vulnerable until patched. ↗
- ·The ENTITY_RESOLVER connection parameter in gt-wfs-ng DataStore was not being applied as intended, so WFS-NG DataStore users relying on this parameter for XXE mitigation are not protected. ↗
- ·Vulnerability is triggered when XML documents carry a reference to an external XML schema, not just arbitrary external entities — scope includes any XML processing path involving gt-xsd-core. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
osv·2025-06-10·CVSS 9.1
CVE-2025-30220 [CRITICAL] [XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
## Summary
GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.
It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).
## Details
While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation.
This bypasses GeoServer's AllowListEntityResolver
GHSA
[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
ghsa·2025-06-10·CVSS 9.1
CVE-2025-30220 [CRITICAL] CWE-611 [XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
## Summary
GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.
It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).
## Details
While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation.
This bypasses GeoServer's AllowListEntityResolver
VulnCheck
geotools geotools Improper Restriction of XML External Entity Reference
vulncheck·2025·CVSS 9.9
CVE-2025-30220 [CRITICAL] geotools geotools Improper Restriction of XML External Entity Reference
geotools geotools Improper Restriction of XML External Entity Reference
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and Ge
No detection rules found.
Nuclei
GeoServer WFS - XXE Processing Vulnerability
nuclei·CVSS 9.1
CVE-2025-30220 [CRITICAL] GeoServer WFS - XXE Processing Vulnerability
GeoServer WFS - XXE Processing Vulnerability
GeoServer Web Feature Service (WFS) is vulnerable to an XML External Entity (XXE) processing attack due to improper handling of XML input. This vulnerability allows attackers to perform Out-of-Band (OOB) data exfiltration and Server-Side Request Forgery (SSRF) by exploiting the GeoTools library.
Template:
id: CVE-2025-30220
info:
name: GeoServer WFS - XXE Processing Vulnerability
author: iamnoooob,pdresearch,darses
severity: critical
description: |
GeoServer Web Feature Service (WFS) is vulnerable to an XML External Entity (XXE) processing attack due to improper handling of XML input. This vulnerability allows attackers to perform Out-of-Band (OOB) data exfiltration and Server-Side Request Forgery (SSRF) by exploiting the GeoTools library.
i
https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entitieshttps://github.com/geonetwork/core-geonetwork/pull/8757https://github.com/geonetwork/core-geonetwork/pull/8803https://github.com/geonetwork/core-geonetwork/pull/8812https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvchttps://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pchttps://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw
2025-06-10
Published
Exploited in the wild