Detections
Analytics

CVE-2025-58360

critical

Description

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

References

https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-geoserver-flaw/

https://thehackernews.com/2025/12/cisa-flags-actively-exploited-geoserver.html

https://securityaffairs.com/185604/hacking/u-s-cisa-adds-an-osgeo-geoserver-flaw-to-its-known-exploited-vulnerabilities-catalog.html

https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-exploited-vulnerability-catalog

https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360

https://osgeo-org.atlassian.net/browse/GEOS-11682

Details

Source: Mitre, NVD

Published: 2025-11-25

Updated: 2025-12-12

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.826