{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48503?format=json","vulnerability_id":"VCID-d9jc-tmbz-t7cr","summary":"GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature\nAn XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint ``/geoserver/wms`` operation ``GetMap``. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request.\n\nAn XML External Entity attack is a type of attack that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.\n\nBy exploiting this vulnerability, an attacker can:\n- Read arbitrary files from the server's file system.\n- Conduct Server-Side Request Forgery (SSRF) to interact with internal systems.\n- Execute Denial of Service (DoS) attacks by exhausting resources.","aliases":[{"alias":"CVE-2025-58360"},{"alias":"GHSA-fjf5-xgmq-5525"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71592?format=json","purl":"pkg:maven/org.geoserver/gs-wms@2.25.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nt1-3gxu-skh5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.geoserver/gs-wms@2.25.6"},{"url":"http://public2.vulnerablecode.io/api/packages/71591?format=json","purl":"pkg:maven/org.geoserver/gs-wms@2.26.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nt1-3gxu-skh5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.geoserver/gs-wms@2.26.2"},{"url":"http://public2.vulnerablecode.io/api/packages/71798?format=json","purl":"pkg:maven/org.geoserver.web/gs-web-app@2.25.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nt1-3gxu-skh5"},{"vulnerability":"VCID-ne8r-a5je-sya5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.geoserver.web/gs-web-app@2.25.6"},{"url":"http://public2.vulnerablecode.io/api/packages/71797?format=json","purl":"pkg:maven/org.geoserver.web/gs-web-app@2.26.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nt1-3gxu-skh5"},{"vulnerability":"VCID-ne8r-a5je-sya5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.geoserver.web/gs-web-app@2.26.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/514045?format=json","purl":"pkg:maven/org.geoserver/gs-wms@2.26.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nt1-3gxu-skh5"},{"vulnerability":"VCID-d9jc-tmbz-t7cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.geoserver/gs-wms@2.26.0"},{"url":"http://public2.vulnerablecode.io/api/packages/85384?format=json","purl":"pkg:maven/org.geoserver.web/gs-web-app@2.26.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nt1-3gxu-skh5"},{"vulnerability":"VCID-d9jc-tmbz-t7cr"},{"vulnerability":"VCID-e92h-34gd-57c8"},{"vulnerability":"VCID-ne8r-a5je-sya5"},{"vulnerability":"VCID-p831-fbaj-xqcm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.geoserver.web/gs-web-app@2.26.0"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58360","reference_id":"","reference_type":"","scores":[{"value":"0.81395","scoring_system":"epss","scoring_elements":"0.99195","published_at":"2026-06-09T12:55:00Z"},{"value":"0.81395","scoring_system":"epss","scoring_elements":"0.99196","published_at":"2026-06-06T12:55:00Z"},{"value":"0.81395","scoring_system":"epss","scoring_elements":"0.99194","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58360"},{"reference_url":"https://github.com/geoserver/geoserver","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/geoserver/geoserver"},{"reference_url":"https://osgeo-org.atlassian.net/browse/GEOS-11682","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-12-12T04:55:43Z/"}],"url":"https://osgeo-org.atlassian.net/browse/GEOS-11682"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58360","reference_id":"CVE-2025-58360","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58360"},{"reference_url":"https://github.com/advisories/GHSA-fjf5-xgmq-5525","reference_id":"GHSA-fjf5-xgmq-5525","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fjf5-xgmq-5525"},{"reference_url":"https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525","reference_id":"GHSA-fjf5-xgmq-5525","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-12-12T04:55:43Z/"}],"url":"https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"}],"weaknesses":[{"cwe_id":611,"name":"Improper Restriction of XML External Entity Reference","description":"The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[{"date_added":"2025-12-11","description":"OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.","required_action":"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","due_date":"2026-01-01","notes":"This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 ; https://osgeo-org.atlassian.net/browse/GEOS-11922 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58360","known_ransomware_campaign_use":false,"source_date_published":null,"exploit_type":null,"platform":null,"source_date_updated":null,"data_source":"KEV","source_url":null},{"date_added":null,"description":"This module exploits an XML External Entity (XXE) vulnerability in GeoServer\n          via the WMS GetMap operation. The vulnerability allows reading arbitrary files\n          from the server's file system by injecting an XXE entity in the SLD (Styled Layer Descriptor).\n\n          Affected versions:\n          - GeoServer >= 2.26.0, <= 2.26.1\n          - GeoServer <= 2.25.5\n\n          The file content is returned in the error message when the layer name contains\n          the XXE entity reference.","required_action":null,"due_date":null,"notes":"Stability:\n  - crash-safe\nReliability: []\nSideEffects:\n  - ioc-in-logs\n","known_ransomware_campaign_use":false,"source_date_published":"2025-11-25","exploit_type":null,"platform":"","source_date_updated":null,"data_source":"Metasploit","source_url":"https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/gather/geoserver_wms_getmap_xxe_file_read.rb"}],"severity_range_score":"7.0 - 8.9","exploitability":"2.0","weighted_severity":"8.0","risk_score":10.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d9jc-tmbz-t7cr"}