CVE-2025-30220

CRITICAL EPSS 98.7%
Published Jun 10, 20251y ago · Modified Jun 17, 20261w ago
9.1 CVSS 3.1
Critical
Find Similar
Published Jun 10, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

CVSS Details

Base Score
9.1
Exploitability
3.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
98.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-611
CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 9

VendorProductVersionRange
geotoolsgeotools* <28.6.1
geotoolsgeotools*≥29.0  –  <31.7
geotoolsgeotools*≥32.0  –  <32.3
geotoolsgeotools33.0any
osgeogeonetwork*≥4.2.0  –  <4.2.13
osgeogeonetwork*≥4.4.0  –  <4.4.8
osgeogeoserver* <2.25.7
osgeogeoserver*≥2.26.0  –  <2.26.3
osgeogeoserver2.27.0any

References 7

  • docs.geoserver.org https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities
    Product
  • github.com https://github.com/geonetwork/core-geonetwork/pull/8757
    Patch
  • github.com https://github.com/geonetwork/core-geonetwork/pull/8803
    Patch
  • github.com https://github.com/geonetwork/core-geonetwork/pull/8812
    Patch
  • github.com https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc
    PatchThird Party Advisory
  • github.com https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
    ExploitPatchThird Party Advisory
  • github.com https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw
    Third Party Advisory

Remediation

  • github.com https://github.com/geonetwork/core-geonetwork/pull/8757
    Patch
  • github.com https://github.com/geonetwork/core-geonetwork/pull/8803
    Patch
  • github.com https://github.com/geonetwork/core-geonetwork/pull/8812
    Patch
  • github.com https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc
    PatchThird Party Advisory
  • github.com https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
    ExploitPatchThird Party Advisory