CVE-2025-59431 — SQL Injection in Mapserver

CWE-89 — SQL Injection3 documents3 sources

Severity

8.9HIGHNVD

EPSS

0.1%

top 80.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mapserver Osgeo Mapserver Debian Mapserver

Timeline

PublishedSep 19

Description

MapServer is a system for developing web-based GIS applications. Prior to 8.4.1, the XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection. It seems like expression checking is bypassed by introducing double quote characters in the PropertyName. Allowing to manipulate backend database queries. This vulnerability is fixed in 8.4.1.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶debiandebian/mapserver< mapserver 7.6.2-1+deb11u1 (bullseye)

▶CVEListV5mapserver/mapserver< 8.4.1

▶Debianosgeo/mapserver< 7.6.2-1+deb11u1+2

▶NVDosgeo/mapserver8.4.0

🔴Vulnerability Details

OSV

CVE-2025-59431: MapServer is a system for developing web-based GIS applications↗2025-09-19

▶

📋Vendor Advisories

Debian

CVE-2025-59431: mapserver - MapServer is a system for developing web-based GIS applications. Prior to 8.4.1,...↗2025

▶