CVE-2025-58360

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525	Vendor Advisory
https://osgeo-org.atlassian.net/browse/GEOS-11682	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:geoserver:geoserver::::::::
	cpe:2.3:a:geoserver:geoserver::::::::

History

02 Dec 2025, 14:41

Type	Values Removed	Values Added
First Time		Geoserver geoserver Geoserver
References	~~() https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 -~~	() https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 - Vendor Advisory
References	~~() https://osgeo-org.atlassian.net/browse/GEOS-11682 -~~	() https://osgeo-org.atlassian.net/browse/GEOS-11682 - Issue Tracking
CPE		cpe:2.3:a:geoserver:geoserver::::::::

25 Nov 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-25 21:15

Updated : 2025-12-02 14:41

NVD link : CVE-2025-58360

Mitre link : CVE-2025-58360

CVE.ORG link : CVE-2025-58360

JSON object : View

Products Affected

geoserver

geoserver

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2025-58360", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-11-25T21:15:56.363", "references": [{"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://osgeo-org.atlassian.net/browse/GEOS-11682", "tags": ["Issue Tracking"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0."}], "lastModified": "2025-12-02T14:41:02.013", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "929A415A-3926-49DE-855E-9363B5E495D3", "versionEndExcluding": "2.25.6"}, {"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58DCFD5D-914E-442F-AD07-C019C3BDDB2A", "versionEndExcluding": "2.26.2", "versionStartIncluding": "2.26.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}