CVE-2024-36404: GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions

February 5, 2025

Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.

References

github.com/Warxim/CVE-2022-41852?tab=readme-ov-file
github.com/advisories/GHSA-w3pj-wh35-fq8w
github.com/geotools/geotools
github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea
github.com/geotools/geotools/pull/4797
github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
nvd.nist.gov/vuln/detail/CVE-2024-36404
osgeo-org.atlassian.net/browse/GEOT-7587
sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download
sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download
sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4
sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download
sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download
sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download
sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download
sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download
sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download
sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download
sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1

Detect and mitigate CVE-2024-36404 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →