CVE-2024-34711: GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)

June 10, 2025

An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. Attacker can abuse this to scan internal networks and gain information about them then exploit further. Moreover, attacker can read limited .xsd file on system.

References

docs.geoserver.org/latest/en/user/production/config.html
github.com/advisories/GHSA-mc43-4fqr-c965
github.com/geoserver/geoserver
github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965
nvd.nist.gov/vuln/detail/CVE-2024-34711

Code Behaviors & Features

Detect and mitigate CVE-2024-34711 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →