CVE-2025-59431 – MapServer versions before 8.4.1 contain a SQL i... (How to Fix)

Q: What is the severity of CVE-2025-59431?

CVE-2025-59431 has a CVSS score of 9.8 (CRITICAL). MapServer versions before 8.4.1 contain a SQL injection vulnerability in the XML Filter Query directive PropertyName. Attackers can bypass expression checking using double quotes to manipulate backend database queries, potentially accessing or modifying sensitive GIS data. All MapServer deployments using vulnerable versions are affected.

📋 TL;DR

MapServer versions before 8.4.1 contain a SQL injection vulnerability in the XML Filter Query directive PropertyName. Attackers can bypass expression checking using double quotes to manipulate backend database queries, potentially accessing or modifying sensitive GIS data. All MapServer deployments using vulnerable versions are affected.

💻 Affected Systems

Products:

MapServer

Versions: All versions prior to 8.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects deployments using XML Filter Query functionality with PropertyName directive.

📦 What is this software?

Mapserver by Osgeo

View all CVEs affecting Mapserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion; potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to sensitive GIS data, database information disclosure, and potential data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via double quote bypass requires understanding of MapServer XML Filter Query syntax.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4.1

Vendor Advisory: https://github.com/MapServer/MapServer/security/advisories/GHSA-256m-rx4h-r55w

Restart Required: Yes

Instructions:

1. Backup current MapServer configuration and data. 2. Download MapServer 8.4.1 or later from official repository. 3. Follow upgrade instructions for your platform. 4. Restart MapServer services. 5. Verify functionality.

🔧 Temporary Workarounds

Disable XML Filter Query

all

Temporarily disable XML Filter Query functionality if not required

Modify MapServer configuration to remove or comment XML Filter Query directives

Input Validation Filter

all

Implement web application firewall or input validation to block double quotes in PropertyName values

🧯 If You Can't Patch

Implement strict input validation to reject PropertyName values containing double quotes
Restrict database user permissions to minimum required for MapServer operations

🔍 How to Verify

Check if Vulnerable:

Check MapServer version; if below 8.4.1 and using XML Filter Query, assume vulnerable.

Check Version:

mapserv -v

Verify Fix Applied:

Confirm MapServer version is 8.4.1 or higher and test XML Filter Query functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from MapServer process
SQL error messages in logs
Multiple failed query attempts with special characters

Network Indicators:

HTTP requests with XML containing double quotes in PropertyName values
Unusual database traffic patterns from MapServer

SIEM Query:

source="mapserver.log" AND ("PropertyName" AND "\"") OR "SQL syntax"

📊 Metadata

CVE ID: CVE-2025-59431

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: September 19, 2025

Last Updated: October 8, 2025

🔗 References

https://github.com/MapServer/MapServer/security/advisories/GHSA-256m-rx4h-r55w Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59431, you might also want to check these: