CRITICAL🇵🇱 Wersja polska

CVE-2025-30220

CVSS 9.9v3.1pub. 2025-06-10upd. 2025-08-26

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

🤖 AI Analysis
How it works

The GeoTools library uses the Eclipse XSD class to represent XML schema structures. When a processed XML document contains a reference to an external XML schema, the Schemas class does not use the EntityResolver object provided by ParserHandler. As a result, external XML entities can be resolved without restrictions, allowing an attacker to inject a specially crafted XML document pointing to local server resources or internal network addresses. This also applies to gt-wfs-ng DataStore users, where the ENTITY_RESOLVER connection parameter was not applied as intended.

Impact

An attacker can read arbitrary files from the server file system (e.g., passwords, configuration keys) and conduct SSRF attacks by sending requests to internal network resources inaccessible directly from the Internet. The vulnerability has a scope extending beyond the attacked application (Scope: Changed), which significantly increases its criticality.

Mitigation & patch

The software should be updated as soon as possible to versions with the vulnerability removed: GeoTools 33.1, 32.3, 31.7 or 28.6.1; GeoServer 2.27.1, 2.26.3 or 2.25.7; GeoNetwork 4.4.8 or 4.2.13. As a temporary workaround, it is recommended to disable the processing of external XML entities in accordance with the manufacturer's guidelines available at: https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities

Who is affected

GeoTools in versions prior to 33.1, 32.3, 31.7 and 28.6.1; GeoServer in versions prior to 2.27.1, 2.26.3 and 2.25.7; GeoNetwork in versions prior to 4.4.8 and 4.2.13. The vulnerability affects any system that processes XML documents with references to external schemas using the gt-xsd-core module.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
  • Geotools

    APP
    Geotools
    33.0< 28.6.129.0 – 31.7 (bez)32.0 – 32.3 (bez)
  • Osgeo Geonetwork

    APP
    Osgeo
    4.2.0 – 4.2.13 (bez)4.4.0 – 4.4.8 (bez)
  • Osgeo Geoserver

    APP
    Osgeo
    2.27.0< 2.25.72.26.0 – 2.26.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XXE
CWE
References

Related vulnerabilities

CVE-2024-36401CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GeoServer RCE przez niezabezpieczoną ewaluację XPath w parametrach OGC

CVE-2024-34711CRITICAL9.3PL ✓ten sam produkt

GeoServer: XXE umożliwiające skanowanie sieci wewnętrznych (SSRF)

CVE-2023-25158CRITICAL9.8ten sam produkt

GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for...

CVE-2023-25157CRITICAL9.8ten sam produkt

GeoServer is an open source software server written in Java that allows users to share and edit geospatial dat...

CVE-2025-27511HIGH7.2ten sam produkt

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27....