CVE-2025-30220: [XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.
It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).
References
- docs.geoserver.org/latest/en/user/production/config.html
- github.com/advisories/GHSA-jj54-8f66-c5pc
- github.com/geonetwork/core-geonetwork/pull/8757
- github.com/geonetwork/core-geonetwork/pull/8803
- github.com/geonetwork/core-geonetwork/pull/8812
- github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc
- github.com/geoserver/geoserver
- github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
- github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw
- nvd.nist.gov/vuln/detail/CVE-2025-30220
Code Behaviors & Features
Detect and mitigate CVE-2025-30220 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →