CVE-2025-30220

Source
https://cve.org/CVERecord?id=CVE-2025-30220
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30220.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-30220
Aliases
Related
Published
2025-06-10T15:16:39.339Z
Modified
2026-04-10T05:24:42.285549Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
Summary
GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling
Details

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

Database specific
{
    "cwe_ids": [
        "CWE-611",
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30220.json"
}
References

Affected packages

Git
github.com/geonetwork/core-geonetwork

Affected ranges

Type
GIT
Repo
https://github.com/geonetwork/core-geonetwork
Events
Database specific
{
    "versions": [
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.13"
        },
        {
            "introduced": "4.4.0"
        },
        {
            "fixed": "4.4.8"
        }
    ]
}

Affected versions

4.*
4.2.0
4.2.1
4.2.10
4.2.11
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30220.json"
github.com/geoserver/geoserver

Affected ranges

Type
GIT
Repo
https://github.com/geoserver/geoserver
Events
Database specific
{
    "versions": [
        {
            "introduced": "2.27.0"
        },
        {
            "fixed": "2.27.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/geoserver/geoserver
Events
Database specific
{
    "versions": [
        {
            "introduced": "2.26.0"
        },
        {
            "fixed": "2.26.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/geoserver/geoserver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.25.7"
        }
    ]
}

Affected versions

2.*
2.11-beta
2.21-M0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30220.json"
github.com/geotools/geotools

Affected ranges

Type
GIT
Repo
https://github.com/geotools/geotools
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Introduced
Fixed
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "28.6.1"
        },
        {
            "introduced": "29.0"
        },
        {
            "fixed": "31.7"
        },
        {
            "introduced": "32.0"
        },
        {
            "fixed": "32.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "33.0"
        }
    ]
}

Affected versions

21.*
21.6b
26.*
26.1a
26.1b
33.*
33.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30220.json"