CVE-2025-58360

Dec. 12, 2025, 1:54 p.m.

8.2
High

Description

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Product(s) Impacted

Vendor Product Versions
Geoserver
  • Geoserver
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-611
Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a geoserver geoserver / / / / / / / /
a geoserver geoserver / / / / / / / /

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525
https://osgeo-org.atlassian.net/browse/GEOS-11682
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360

Tags

security-advisories@github.com
CWE-611
2025-11-25
CVE-2025-58360

CVSS Score

8.2 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

    View Vector String

Timeline

Published: Nov. 25, 2025, 9:15 p.m.
Last Modified: Dec. 12, 2025, 1:54 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

security-advisories@github.com

Relations

Here is the list of observables linked to the vulnerability CVE-2025-58360 using threat intelligence.

  • GeoServer
  • GeoServer

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.