CVE-2025-58360 (GCVE-0-2025-58360)
Vulnerability from cvelistv5 – Published: 2025-11-25 20:17 – Updated: 2026-02-26 16:07- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://github.com/geoserver/geoserver/security/a… | x_refsource_CONFIRM |
| https://osgeo-org.atlassian.net/browse/GEOS-11682 | x_refsource_MISC |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
CISA
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-611 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | GeoServer |
| Due Date | 2026-01-01 |
| Date Added | 2025-12-11 |
| Vendorproject | OSGeo |
| Vulnerabilityname | OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Shadowserver
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Characteristics
Timestamps
Scope
Evidence
Type: Honeypot
Signal: In The Wild Attempts
Confidence: 70%
Source: shadowserver
Details
| 1D | 13 |
|---|---|
| Iot | no |
| Feed | Shadowserver Foundation honeypot/exploited-vulnerabilities |
| Type | http-scan |
| Class | other-software |
| 7D Avg | 6 |
| Vendor | Geoserver |
| 30D Avg | 5 |
| 90D Avg | 5 |
| Product | Geoserver |
| Cisa Kev | yes |
| Connections | 2378 |
| Observation Date | 2026-07-07 |
| Vulnerability Class | CVSS |
| Vulnerability Score | 9.8 |
| Vulnerability Severity | Critical |
References
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature |
| Vendor | geoserver |
| Product | geoserver |
| Added Date | 2026-05-30T00:00:00.000Z |
| Cvss Score | 8.2 |
| Epss Score | 0.66753 |
| Cvss Severity | HIGH |
| Epss Percentile | 0.99194 |
| Used In Malware | unknown |
| Ahead Of Cisa Kev |
|
| Not Yet In Cisa Kev | False |
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58360",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T04:55:43.956488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-12-11",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:07:29.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T00:00:00.000Z",
"value": "CVE-2025-58360 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.2"
},
{
"status": "affected",
"version": "\u003c 2.25.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T20:17:35.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11682",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11682"
}
],
"source": {
"advisory": "GHSA-fjf5-xgmq-5525",
"discovery": "UNKNOWN"
},
"title": "GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58360",
"datePublished": "2025-11-25T20:17:35.254Z",
"dateReserved": "2025-08-29T16:19:59.010Z",
"dateUpdated": "2026-02-26T16:07:29.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2025-58360",
"cwes": "[\"CWE-611\"]",
"dateAdded": "2025-12-11",
"dueDate": "2026-01-01",
"knownRansomwareCampaignUse": "Unknown",
"notes": "This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 ; https://osgeo-org.atlassian.net/browse/GEOS-11922 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58360",
"product": "GeoServer",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.",
"vendorProject": "OSGeo",
"vulnerabilityName": "OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability"
},
"epss": {
"cve": "CVE-2025-58360",
"date": "2026-07-12",
"epss": "0.66753",
"percentile": "0.99204"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-58360\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-25T21:15:56.363\",\"lastModified\":\"2026-06-17T09:44:21.613\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"geoserver\",\"product\":\"geoserver\",\"versions\":[{\"version\":\"\u003e= 2.26.0, \u003c 2.26.2\",\"status\":\"affected\"},{\"version\":\"\u003c 2.25.6\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-12-12T04:55:43.956488Z\",\"id\":\"CVE-2025-58360\",\"options\":[{\"exploitation\":\"active\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"cisaExploitAdd\":\"2025-12-11\",\"cisaActionDue\":\"2026-01-01\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.25.6\",\"matchCriteriaId\":\"929A415A-3926-49DE-855E-9363B5E495D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.26.0\",\"versionEndExcluding\":\"2.26.2\",\"matchCriteriaId\":\"58DCFD5D-914E-442F-AD07-C019C3BDDB2A\"}]}]}],\"references\":[{\"url\":\"https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://osgeo-org.atlassian.net/browse/GEOS-11682\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"redhat_vex": {
"current_release_date": "2026-03-27T08:29:26+00:00",
"cve": "CVE-2025-58360",
"id": "CVE-2025-58360",
"initial_release_date": "2025-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-58360.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-58360\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-12T04:55:43.956488Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-12-11\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-12-11T00:00:00.000Z\", \"value\": \"CVE-2025-58360 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-25T20:30:34.028Z\"}}], \"cna\": {\"title\": \"GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature\", \"source\": {\"advisory\": \"GHSA-fjf5-xgmq-5525\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"geoserver\", \"product\": \"geoserver\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.26.0, \u003c 2.26.2\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.25.6\"}]}], \"references\": [{\"url\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525\", \"name\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://osgeo-org.atlassian.net/browse/GEOS-11682\", \"name\": \"https://osgeo-org.atlassian.net/browse/GEOS-11682\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-25T20:17:35.254Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-58360\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T16:07:29.959Z\", \"dateReserved\": \"2025-08-29T16:19:59.010Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-25T20:17:35.254Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.