Login Sign Up

CVE-2025-21621

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

GeoServer versions before 2.25.0 contain a reflected cross-site scripting vulnerability in the WMS GetFeatureInfo HTML output format. Attackers can inject malicious JavaScript via SLD_BODY parameters, which executes in victims' browsers when they visit manipulated URLs. This affects all GeoServer instances with WMS service enabled.

💻 Affected Systems

Products:
  • GeoServer
Versions: All versions before 2.25.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WMS service enabled with GetFeatureInfo HTML output format accessible.

📦 What is this software?

Geoserver by Geoserver

View all CVEs affecting Geoserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware via browser exploits.

🟠

Likely Case

Session hijacking, credential theft, or defacement of GeoServer interfaces through injected content.

🟢

If Mitigated

Limited to same-origin policy restrictions; modern browser XSS protections may partially block exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS typically requires social engineering to trick users into clicking malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.25.0

Vendor Advisory: https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72

Restart Required: Yes

Instructions:

1. Backup current GeoServer configuration. 2. Download GeoServer 2.25.0 or later from official site. 3. Stop GeoServer service. 4. Replace with patched version. 5. Restart GeoServer service.

🔧 Temporary Workarounds

Disable WMS GetFeatureInfo HTML Output

all

Disable vulnerable output format while maintaining other WMS functionality.

Edit web.xml to remove or restrict GetFeatureInfo HTML format mappings

Web Application Firewall Rules

all

Block requests containing suspicious SLD_BODY parameters or JavaScript patterns.

Configure WAF to filter: SLD_BODY parameter with script tags or JavaScript patterns

🧯 If You Can't Patch

  • Implement Content Security Policy headers to restrict script execution
  • Use reverse proxy to sanitize SLD_BODY parameters before reaching GeoServer

🔍 How to Verify

Check if Vulnerable:

Test by accessing WMS GetFeatureInfo endpoint with SLD_BODY parameter containing test payload like <script>alert('test')</script>

Check Version:

Check GeoServer version in web interface or via REST endpoint: curl -s http://geoserver-host:8080/geoserver/rest/about/version.json

Verify Fix Applied:

After patching, same test payload should be properly escaped or rejected.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with SLD_BODY parameter containing script tags or JavaScript code
  • Unusual GetFeatureInfo requests from single IPs

Network Indicators:

  • HTTP requests with encoded script payloads in parameters
  • Abnormal traffic to WMS endpoints

SIEM Query:

source="geoserver.log" AND "SLD_BODY" AND ("<script>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-21621
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (15th percentile)
Published: November 25, 2025
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21621, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)