GHSA-jj54-8f66-c5pc

Suggest an improvement
Source
https://github.com/advisories/GHSA-jj54-8f66-c5pc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-jj54-8f66-c5pc/GHSA-jj54-8f66-c5pc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jj54-8f66-c5pc
Aliases
  • CVE-2025-30220
Published
2025-06-10T20:10:06Z
Modified
2025-06-10T20:27:15.044827Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
Summary
[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
Details

Summary

GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.

It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).

Details

While direct entity resolution is managed by application property ENTITYRESOLUTIONALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation.

This bypasses GeoServer's AllowListEntityResolver enabling XXE attacks.

PoC

No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service.

Impact

  • Information Disclosure:

    This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem that are accessible to the GeoServer process.

    This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication, making it particularly severe.

  • Server-Side Request Forgery (SSRF)

    The mechanism inherently allows forcing GeoServer to make HTTP requests to arbitrary URLs, enabling SSRF attacks against internal network resources

References

Acknowledgements

This vulnerability was initially reported via an automated tool described below. Subsequently a duplicate report via @YacineF, and their patience working with the GeoServer project, was instrumental finding in escalating this issue and determining a resolution.

XBOW-025-068 Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Database specific 
{
    "nvd_published_at": "2025-06-10T16:15:37Z",
    "cwe_ids": [
        "CWE-611",
        "CWE-918"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T20:10:06Z"
}
References

Affected packages

Maven / org.geoserver.web:gs-web-app

Package

Name
org.geoserver.web:gs-web-app
View open source insights on deps.dev
Purl
pkg:maven/org.geoserver.web/gs-web-app

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.27.0
Fixed
2.27.1

Affected versions

2.*

2.27.0

Maven / org.geoserver:gs-wfs

Package

Name
org.geoserver:gs-wfs
View open source insights on deps.dev
Purl
pkg:maven/org.geoserver/gs-wfs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.27.0
Fixed
2.27.1

Affected versions

2.*

2.27.0

Maven / org.geoserver.web:gs-web-app

Package

Name
org.geoserver.web:gs-web-app
View open source insights on deps.dev
Purl
pkg:maven/org.geoserver.web/gs-web-app

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.26.0
Fixed
2.26.3

Database specific 

{
    "last_known_affected_version_range": "<= 2.26.2"
}

Maven / org.geoserver:gs-wfs

Package

Name
org.geoserver:gs-wfs
View open source insights on deps.dev
Purl
pkg:maven/org.geoserver/gs-wfs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.26.0
Fixed
2.26.3

Database specific 

{
    "last_known_affected_version_range": "<= 2.26.2"
}

Maven / org.geoserver.web:gs-web-app

Package

Name
org.geoserver.web:gs-web-app
View open source insights on deps.dev
Purl
pkg:maven/org.geoserver.web/gs-web-app

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.25.7

Database specific 

{
    "last_known_affected_version_range": "<= 2.25.6"
}

Maven / org.geoserver:gs-wfs

Package

Name
org.geoserver:gs-wfs
View open source insights on deps.dev
Purl
pkg:maven/org.geoserver/gs-wfs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.25.7

Database specific 

{
    "last_known_affected_version_range": "<= 2.25.6"
}