CVE-2025-30220
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-08-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| geotools | geotools | to 28.6.1 (exc) |
| geotools | geotools | From 29.0 (inc) to 31.7 (exc) |
| geotools | geotools | From 32.0 (inc) to 32.3 (exc) |
| geotools | geotools | 33.0 |
| osgeo | geonetwork | From 4.2.0 (inc) to 4.2.13 (exc) |
| osgeo | geonetwork | From 4.4.0 (inc) to 4.4.8 (exc) |
| osgeo | geoserver | to 2.25.7 (exc) |
| osgeo | geoserver | From 2.26.0 (inc) to 2.26.3 (exc) |
| osgeo | geoserver | 2.27.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-30220 is an XML External Entity (XXE) vulnerability affecting GeoServer, GeoTools, and GeoNetwork components that process XML schemas. The issue arises because the GeoTools Schema class uses the Eclipse XSD library to represent schema data but does not properly use the EntityResolver provided during XML parsing. This allows attackers to craft XML documents referencing external entities, which can be exploited to read sensitive local files or perform server-side request forgery (SSRF) attacks. The vulnerability affects various versions of GeoTools, GeoServer, and GeoNetwork and is fixed in recent patched versions. [1, 5, 6]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to exploit XML processing endpoints to perform XXE attacks, potentially leading to the disclosure of sensitive files on the server, such as configuration files and credentials. It also enables server-side request forgery (SSRF), allowing attackers to make arbitrary HTTP requests from the vulnerable server to internal or external systems. The impact includes high confidentiality loss, low integrity impact, and low availability impact. Attackers do not require privileges or user interaction to exploit this vulnerability. [1, 5, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-30220 involves monitoring for exploitation attempts targeting the vulnerable XML processing endpoints, such as the Web Feature Service (WFS) REST API in GeoNetwork or GeoServer. Since the vulnerability allows unauthenticated remote attackers to perform XML External Entity (XXE) attacks, network detection can focus on unusual or unexpected XML payloads containing external entity references sent to these endpoints. Specific commands are not provided in the resources, but general approaches include capturing and inspecting HTTP requests to the WFS endpoints for XML data with external entity declarations. Additionally, reviewing logs for unusual file access or outbound HTTP requests from the server may indicate exploitation attempts. [1, 5, 6]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading affected software to the patched versions: GeoNetwork to versions 4.4.8 or 4.2.13, GeoServer to versions 2.27.1, 2.26.3, or 2.25.7, and GeoTools to versions 33.1, 32.3, 31.7, or 28.6.1. As a workaround for GeoNetwork, disabling the WFS Index functionality by removing the gn-wfsfeature-harvester and gn-camelPeriodicProducer JAR files is recommended. For GeoServer, ensure the ENTITY_RESOLUTION_ALLOWLIST property is properly enforced and updated. Restrict access to WFS harvesting tasks to authorized users only, as unauthorized manipulation was also addressed. These steps help prevent exploitation of the XXE vulnerability and associated SSRF attacks. [1, 5, 6, 4]