CVE-2025-58360

What is OSGeo GeoServer?

GeoServer is an open-source Java web server maintained by the Open Source Geospatial Foundation (OSGeo) that publishes geospatial data using standard OGC (Open Geospatial Consortium) protocols including WMS (Web Map Service), WFS (Web Feature Service), and WCS (Web Coverage Service). It is widely used by government agencies, environmental organizations, urban planning departments, utilities, and academic institutions to share map layers and geospatial data publicly over the web. GeoServer has had prior critical vulnerabilities: CVE-2024-36401 was a pre-auth SSTI/RCE exploited by multiple APTs in 2024.

Overview

CVE-2025-58360 is a pre-authentication XML external entity injection (XXE, CWE-611) in GeoServer's WMS GetMap operation. The server accepts XML input through the /geoserver/wms?REQUEST=GetMap endpoint and processes it without disabling external entity resolution, enabling unauthenticated attackers to read arbitrary server files and conduct SSRF. CISA added the vulnerability to the KEV catalog on December 11, 2025 with a New Year's Day deadline — effectively compressing the remediation window to less than three weeks for most organizations.

Affected Versions

Technical Details

The WMS GetMap operation (/geoserver/wms?REQUEST=GetMap) accepts XML-formatted requests when invoked with an XML body or via certain SLD (Styled Layer Descriptor) parameters. GeoServer processes this XML through a parser without disabling external entity resolution (CWE-611).

An unauthenticated attacker sends a GetMap request with an XML body containing a DOCTYPE declaration defining an external entity referencing either a local filesystem path or an attacker-controlled URL. When the XML parser resolves the entity:

• File read: The contents of server files (configuration files, credentials, SSL private keys) are embedded in the parser's output and returned to the attacker
• SSRF: The server makes an outbound HTTP request to the attacker-specified URL, enabling internal network probing and metadata service access (AWS IMDS, GCP metadata, etc.)

GeoServer frequently stores database credentials (PostGIS, Oracle) and external service API keys in configuration files (datastore.xml, wfs.xml, etc.) that are readable via this XXE.

Key characteristics:

• Fully unauthenticated — no credentials or session required
• No user interaction required
• The WMS GetMap endpoint is public-facing by design on most GeoServer deployments

Discovery

XBOW Security — an autonomous AI-assisted vulnerability detection system with human validation — identified and reported the vulnerability.

Exploitation Context

CISA confirmed active exploitation and added the vulnerability to the KEV catalog on December 11, 2025. GeoServer has historically been a target: CVE-2024-36401 was exploited by multiple APT groups (UNC5325, Volt Typhoon-adjacent actors, criminal groups) in 2024. GeoServer instances deployed by government and critical infrastructure organizations make it an attractive target for espionage actors seeking geospatial intelligence.

Remediation

1. Upgrade to GeoServer 2.25.6 or 2.26.2 (or 2.27.0+) immediately. The CISA deadline was January 1, 2026.
2. Disable the WMS GetMap endpoint if not operationally required — GeoServer's admin interface allows disabling individual OGC services.
3. Rotate all credentials in GeoServer data store configurations: database connection strings (PostGIS, Oracle, SQL Server), API keys for external services, and authentication credentials in datastore.xml and service configuration files.
4. Restrict GeoServer to known IP ranges at the network level if possible — public-facing GeoServer instances should be limited to known consumer networks.
5. Review server logs for GET/POST requests to /geoserver/wms with unusual XML bodies or ?REQUEST=GetMap parameters containing DOCTYPE references.
6. Apply principle of least privilege to the GeoServer process account — it should not have read access to sensitive files outside its working directory.