Summary

A high-severity vulnerability has been identified in GeoServer’s Web Feature Service (WFS) that allows XML External Entity (XXE) attacks, potentially leading toinformation disclosure and Server-Side Request Forgery (SSRF). This issue stems from improper handling of XML schemas within the GeoTools library, bypassing entity resolution controls.

The vulnerability affects several versions of GeoServer and has been assigned CVE-2025-30220.

Affected Systems and/or Applications

The following GeoServer packages and versions are vulnerable:

Packages:

• org.geoserver.web:gs-web-app (Maven) org.geoserver:gs-wfs
• (Maven)

Affected Versions:

• 2.27.0
• 2.26.0 – 2.26.2
• ≤ 2.25.6

Patched Versions:

• 2.27.1
• 2.26.3
• 2.25.7

Technical Details

The vulnerability originates from GeoTools, a core dependency used by GeoServer for XML parsing and schema management. Specifically:

• GeoServer provides a configuration property ENTITY_RESOLUTION_ALLOWLIST meant to restrict XML external entity resolution.
• However, when GeoTools builds in-memory XSD schema libraries, it does not respect this restriction.
• This creates an attack vector through WFS endpoints, allowing an attacker to inject malicious XML payloads containing external DTDs or entities.

Exploitation Capabilities:

• Out-of-Band (OOB) Data Exfiltration: Attackers can read local files (e.g., /etc/passwd) and exfiltrate data remotely.
• SSRF: GeoServer can be tricked into making HTTP requests to internal or arbitrary external systems.

Mitigation & Recommendations

To mitigate the risks associated with this vulnerability, the following actions should be prioritized:

1. Immediate Upgrade

Upgrade GeoServer to a patched version:

• 2.27.1
• 2.26.3
• 2.25.7

These versions include the necessary patch to enforce entity resolution restrictions during schema processing.

2. Restrict Access

If upgrading is not immediately possible:

• Limit access to WFS endpoints (e.g., via firewall rules or API gateway).
• Disable unauthenticated access to XML-based services where feasible.

3. Monitor for Suspicious Requests

• Look for unusual WFS XML payloads or large/complex XML requests.
• Monitor internal network traffic for signs of SSRF.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively monitoring for exploitation attempts and evaluating threat intelligence for indicators of compromise (IOCs). Actions include:

• Vulnerability Scanning: Awaiting the release of detection plugins for tools like Tenable and Qualys.
  • CVE-2025-30220 | Tenable®

At this time, the potential for exploitation underscores the urgency of applying the available patches.

References

• https://www.tenable.com/cve/CVE-2025-30220
• XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service · Advisory · geoserver/geoserver · GitHub
• CVE-2025-30220: High Severity XML External Entity (XXE) Vulnerability in GeoServer, GeoTools, and
• GeoNetwork – Cybersecurity Exploit Tracker by Ameeba

‍