CVE-2025-30220
📋 TL;DR
This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files from the server or perform server-side request forgery when processing malicious XML documents. It affects systems using gt-xsd-core for XML parsing with external schema references, including GeoServer, GeoTools, and GeoNetwork deployments. The vulnerability stems from improper handling of external entity resolution in the Eclipse XSD library.
💻 Affected Systems
- GeoServer
- GeoTools
- GeoNetwork
📦 What is this software?
Geotools by Geotools
Geotools by Geotools
Geotools by Geotools
Geotools by Geotools
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure of sensitive data (passwords, keys, configuration files) and potential remote code execution via SSRF attacks.
Likely Case
Unauthorized file system access leading to data exfiltration of configuration files, credentials, or sensitive geospatial data.
If Mitigated
Limited impact with proper network segmentation and XML processing hardening, though some information disclosure may still occur.
🎯 Exploit Status
XXE vulnerabilities are well-understood attack vectors with readily available exploitation techniques. The specific trigger requires XML documents with external schema references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: GeoServer 2.27.1, 2.26.3, 2.25.7; GeoTools 33.1, 32.3, 31.7, 28.6.1; GeoNetwork 4.4.8, 4.2.13
Vendor Advisory: https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc
Restart Required: Yes
Instructions:
1. Identify your GeoServer/GeoTools/GeoNetwork version. 2. Upgrade to the patched version for your release line. 3. Restart the service. 4. Verify the fix by checking version and testing XML processing.
🔧 Temporary Workarounds
Disable external entity processing
allConfigure XML parsers to disable external entity resolution
Set system property: -Djavax.xml.accessExternalDTD=all
Configure parser features: FEATURE_SECURE_PROCESSING=true
Network isolation
allRestrict outbound network access from GeoServer instances
Configure firewall rules to block outbound HTTP/HTTPS from GeoServer
Use network policies to restrict egress traffic
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all XML inputs
- Deploy web application firewall with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check version numbers against affected ranges and verify if XML processing with external schemas is enabled.Check Version:
For GeoServer: Check web interface or GEOSERVER_DATA_DIR/version.txt. For GeoTools: Check Maven dependencies or classpath.Verify Fix Applied:
Confirm version is updated to patched release and test XML processing with external entities disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Unexpected outbound HTTP requests from GeoServer
- File access patterns to sensitive system files
Network Indicators:
- HTTP requests to internal resources from GeoServer
- Unusual outbound traffic patterns
SIEM Query:
source="geoserver" AND (event_type="xml_parse" OR http_request="*file:*" OR http_request="*http:*")🔗 References
- https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities
- https://github.com/geonetwork/core-geonetwork/pull/8757
- https://github.com/geonetwork/core-geonetwork/pull/8803
- https://github.com/geonetwork/core-geonetwork/pull/8812
- https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc
- https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
- https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw
