CVE-2024-34711 – This vulnerability in GeoServer allows unauthor... (How to Fix)

Q: What is the severity of CVE-2024-34711?

CVE-2024-34711 has a CVSS score of 9.3 (CRITICAL). This vulnerability in GeoServer allows unauthorized attackers to perform XML External Entity (XXE) attacks by bypassing URI validation. Attackers can send GET requests to any HTTP server, potentially scanning internal networks and gathering information for further exploitation. All GeoServer versions before 2.25.0 with default configurations are affected.

📋 TL;DR

This vulnerability in GeoServer allows unauthorized attackers to perform XML External Entity (XXE) attacks by bypassing URI validation. Attackers can send GET requests to any HTTP server, potentially scanning internal networks and gathering information for further exploitation. All GeoServer versions before 2.25.0 with default configurations are affected.

💻 Affected Systems

Products:

GeoServer

Versions: All versions before 2.25.0

Operating Systems: All operating systems running GeoServer

Default Config Vulnerable: ⚠️ Yes

Notes: GeoServer 2.25.0+ defaults to ENTITY_RESOLUTION_ALLOWLIST which mitigates this issue. Older versions require manual configuration changes.

📦 What is this software?

Geoserver by Osgeo

View all CVEs affecting Geoserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network reconnaissance, data exfiltration from internal systems, and potential lateral movement leading to full network compromise.

🟠

Likely Case

Internal network scanning, information disclosure about internal services and infrastructure, and potential credential harvesting.

🟢

If Mitigated

Limited impact with proper network segmentation and egress filtering, though some information disclosure may still occur.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication to probe internal networks.

🏢 Internal Only: MEDIUM - Internal attackers could use this to map network segments and discover services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit as it bypasses regex-based filtering. Attackers need to craft malicious XML with external entity references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.25.0 and later

Vendor Advisory: https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965

Restart Required: Yes

Instructions:

1. Upgrade to GeoServer 2.25.0 or later. 2. If upgrading is not possible, set system property 'org.geotools.xml.externalEntitiesEnabled' to 'false'. 3. Restart GeoServer service.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure GeoServer to disable XML external entity processing entirely

java -Dorg.geotools.xml.externalEntitiesEnabled=false -jar start.jar

Configure entity resolution allowlist

all

Manually configure ENTITY_RESOLUTION_ALLOWLIST in older versions

Set system property 'org.geotools.xml.entityResolutionAllowList' to restrict allowed URIs

🧯 If You Can't Patch

Implement strict network egress filtering to block outbound requests from GeoServer
Deploy GeoServer in a segmented network zone with limited access to internal resources

🔍 How to Verify

Check if Vulnerable:

Check GeoServer version and verify if external entity processing is enabled without proper restrictions

Check Version:

Check GeoServer web interface admin panel or examine startup logs for version information

Verify Fix Applied:

Verify GeoServer version is 2.25.0+ or system property 'org.geotools.xml.externalEntitiesEnabled' is set to false

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Outbound HTTP requests from GeoServer to unexpected destinations
Multiple failed entity resolution attempts

Network Indicators:

HTTP GET requests from GeoServer to internal IP ranges
Unusual outbound traffic patterns from GeoServer instance

SIEM Query:

source="geoserver" AND (http_method="GET" AND NOT dest_ip IN allowed_destinations)

📊 Metadata

CVE ID: CVE-2024-34711

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE: CWE-200

EPSS Score: 0.08% exploit probability (23th percentile)

Published: June 10, 2025

Last Updated: August 26, 2025

🔗 References

https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities Product
https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965 Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34711, you might also want to check these: