CriticalPublic exploit

XXE in GeoServer WFS via GeoTools gt-xsd-core schema parsing

IdentifiersCVE-2025-30220CWE-611· Improper Restriction of XML…

CVE-2025-30220 is an XML External Entity (XXE) vulnerability affecting GeoServer, GeoTools, and GeoNetwork in code paths that use GeoTools gt-xsd-core for XML schema parsing. The flaw is in the GeoTools Schemas class, which uses the Eclipse XSD library to represent schema data structures but does not use the EntityResolver supplied by ParserHandler, if configured. As a result, external entity resolution controls can be bypassed when processing XML documents that reference external XML schemas. In GeoServer, this is exposed through Web Feature Service (WFS) XML processing. The issue also affects users of the gt-wfs-ng DataStore because the ENTITY_RESOLVER connection parameter was not applied as intended. Successful exploitation involves supplying malicious XML/XSD content with external entity or external schema references, causing the parser to resolve attacker-controlled or local resources.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to information disclosure and server-side request forgery (SSRF). An attacker may cause the vulnerable server to read local files accessible to the GeoServer process, including sensitive configuration or system files, and may trigger outbound requests to attacker-controlled or internal network endpoints through external entity or schema resolution. This creates opportunities for out-of-band data exfiltration, internal network probing, and access to otherwise unreachable services. Based on the provided context, the issue is remotely exploitable through exposed WFS/XML processing paths and may be exploitable without authentication depending on service exposure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of vulnerable XML-processing endpoints, especially WFS. Restrict or disable external and unauthenticated access to WFS/XML services where feasible, place the service behind firewall rules or an API gateway, and monitor for unusual, oversized, or complex XML payloads. Apply network egress controls on the GeoServer host to limit outbound connections and reduce SSRF and out-of-band exfiltration opportunities. Minimize filesystem permissions of the GeoServer process to reduce the impact of arbitrary file reads. Do not rely solely on ENTITY_RESOLUTION_ALLOWLIST or ENTITY_RESOLVER settings for protection in affected versions, as the vulnerable code path bypasses those controls.

Remediation

Patch, then assume compromise.

Upgrade to a fixed release. The provided content states the vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1; GeoServer 2.27.1, 2.26.3, and 2.25.7; and GeoNetwork 4.4.8 and 4.2.13. For GeoServer specifically, affected deployments should update from vulnerable releases such as 2.27.0, 2.26.0-2.26.2, and versions up to 2.25.6 to the corresponding patched versions or later.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GeoserverGs-Web-Appapplication

GeoserverGs-Wfsapplication

GeotoolsGeotoolsapplication

OsgeoGeonetworkapplication

OsgeoGeoserverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

kudelskisecurityNews

Jun 19, 2025

XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service - Kudelski Security Research Center

A high-severity XXE vulnerability in GeoServer WFS, caused by GeoTools not enforcing entity resolution restrictions during schema processing, enabling information disclosure and SSRF.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-30220

NVD

nvd.nist.gov/vuln/detail/CVE-2025-30220

MITRE CWE · CWE-611

Improper Restriction of XML External Entity…

Patch

github.com/geonetwork/core-geonetwork/pull/8757

Patch

github.com/geonetwork/core-geonetwork/pull/8803

Patch

github.com/geonetwork/core-geonetwork/pull/8812

Patch

github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc

Patch

github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc

Third Party Advisory

github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw

Product

docs.geoserver.org/latest/en/user/production/config.html