Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. The vulnerability in question is CVE-2025-58360 (CVSS score: 8.2), an unauthenticated XML External Entity (XXE) flaw that affects all versions prior to
Analysis Summary
# Vulnerability: Unauthenticated XXE in OSGeo GeoServer Leading to File Access/SSRF
## CVE Details
- CVE ID: CVE-2025-58360
- CVSS Score: 8.2 (High)
- CWE: Unrestricted External Entity Reference in XML
## Affected Systems
- Products: OSGeo GeoServer
- Versions: All versions prior to and including 2.25.5; Versions 2.26.0 through 2.26.1.
- Configurations: Affects GeoServer when processing XML input through specific endpoints, notably the `/geoserver/wms` operation `GetMap`.
## Vulnerability Description
This is an Unauthenticated XML External Entity (XXE) flaw. The application improperly handles XML input, allowing an attacker to define external entities within the XML request sent to vulnerable endpoints (like `/geoserver/wms` GetMap). Successful exploitation allows an unauthenticated attacker to:
1. Read arbitrary files from the server's file system (Information Disclosure).
2. Conduct Server-Side Request Forgery (SSRF) to interact with internal network systems.
3. Cause a Denial-of-Service (DoS) by exhausting system resources.
## Exploitation
- Status: Exploited in the wild (CISA KEV listing and bulletin from Canadian Centre for Cyber Security confirmed existence of an exploit).
- Complexity: Low (Implied by unauthenticated nature and XXE type).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Arbitrary file read)
- Integrity: Medium/High (Potential for internal system interaction via SSRF)
- Availability: High (Potential for DoS via resource exhaustion)
## Remediation
### Patches
Users must upgrade to one of the following patched versions:
- 2.25.6
- 2.26.2
- 2.27.0
- 2.28.0
- 2.28.1
### Workarounds
No specific workarounds were detailed in the provided context, immediate patching is the recommended course of action.
## Detection
- Indicators of compromise: Look for unexpected network connections originating from the GeoServer process attempting to communicate with internal or external network resources (consistent with SSRF), or unusual file access patterns.
- Detection methods and tools: Monitor WMS requests directed at the application, specifically looking for XML payloads that contain entity declarations (e.g., `<!ENTITY`, `DOCTYPE`).
## References
- Vendor Advisory: [github[.]com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525]
- CISA Alert: [cisa[.]gov/news-events/alerts/2025/12/11/cisa-adds-one-known-exploited-vulnerability-catalog]
- Canadian Advisory: [cyber[.]gc[.]ca/en/alerts-advisories/geoserver-security-advisory-av25-789]