CVE-2025-30220

June 10, 2025, 4:15 p.m.

9.9
Critical

Description

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

Product(s) Impacted

Vendor Product Versions
Osgeo
  • Geoserver
  • 2.27.1, 2.26.3, 2.25.7
Geotools
  • Geotools
  • 33.1, 32.3, 31.7, 28.6.1
Geonetwork
  • Geonetwork
  • 4.4.8, 4.2.13

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-611
Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a osgeo geoserver 2.27.1 / / / / / / /
a osgeo geoserver 2.26.3 / / / / / / /
a osgeo geoserver 2.25.7 / / / / / / /
a geotools geotools 33.1 / / / / / / /
a geotools geotools 32.3 / / / / / / /
a geotools geotools 31.7 / / / / / / /
a geotools geotools 28.6.1 / / / / / / /
a geonetwork geonetwork 4.4.8 / / / / / / /
a geonetwork geonetwork 4.2.13 / / / / / / /

References

https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities
https://github.com/geonetwork/core-geonetwork/pull/8757
https://github.com/geonetwork/core-geonetwork/pull/8803
https://github.com/geonetwork/core-geonetwork/pull/8812
https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc
https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw

Tags

security-advisories@github.com
CWE-611
2025-06-10
CVE-2025-30220

CVSS Score

9.9 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: LOW
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

    View Vector String

Timeline

Published: June 10, 2025, 4:15 p.m.
Last Modified: June 10, 2025, 4:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.