CVE-2025-58360
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-12-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| geoserver | geoserver | to 2.25.6 (exc) |
| geoserver | geoserver | From 2.26.0 (inc) to 2.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an XML External Entity (XXE) issue in GeoServer versions from 2.26.0 to before 2.26.2 and before 2.25.6. GeoServer accepts XML input through the /geoserver/wms GetMap operation endpoint. The XML input is not properly sanitized or restricted, which allows an attacker to define external entities within the XML request. This can lead to unintended processing of external resources.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to exploit the XXE flaw to access sensitive data or resources on the server, potentially leading to data disclosure. According to the CVSS score, it has a high impact on confidentiality (C:H) and a low impact on availability (A:L), meaning it can lead to significant data exposure without requiring user interaction or privileges.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade GeoServer to version 2.25.6, 2.26.3, 2.27.0 or later, as these versions contain the patch that fixes the XML External Entity (XXE) vulnerability.