CVE-2025-30220

Exploit

EPSS 3.99%
Published 10.06.2025 15:16:39
Last modified 26.08.2025 16:10:11
Source security-advisories@github.com
Teams watchlist Login
Open Login

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

Affected products Warnungen 0 Metrics 3 CWE 2 References 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Geotools ≫ Geotools Version < 28.6.1

Geotools ≫ Geotools Version >= 29.0 < 31.7

Geotools ≫ Geotools Version >= 32.0 < 32.3

Geotools ≫ Geotools Version33.0

Osgeo ≫ Geonetwork Version >= 4.2.0 < 4.2.13

Osgeo ≫ Geonetwork Version >= 4.4.0 < 4.4.8

Osgeo ≫ Geoserver Version < 2.25.7

Osgeo ≫ Geoserver Version >= 2.26.0 < 2.26.3

Osgeo ≫ Geoserver Version2.27.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	3.99%	0.879

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
security-advisories@github.com	9.9	3.9	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities

Product

https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc

Patch

Third Party Advisory

Exploit

https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc

Patch

Third Party Advisory

https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw

Third Party Advisory

https://github.com/geonetwork/core-geonetwork/pull/8757