CVE-2025-58360

unknown KEV

Published 2025-11-25 · Modified 2025-12-11

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.

CISA KEV

Vendor: OSGeo
Product: GeoServer
Due date: 2026-01-01

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

{Vendor advisory: cisa-kev — This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 ; https://osgeo-org.atlassian.net/browse/GEOS-11922 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58360}

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Metasploit modules

auxiliary_gather/geoserver_wms_getmap_xxe_file_read rank 300

GeoServer WMS GetMap XXE Arbitrary File Read

Source fetch failed: fetch_error — view the original via the link above.

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.geoserver.web:gs-web-app	`>=2.26.0,<2.26.2`	`2.26.2`
Maven	org.geoserver:gs-wms	`>=2.26.0,<2.26.2`	`2.26.2`
Maven	org.geoserver.web:gs-web-app	`<2.25.6`	`2.25.6`
Maven	org.geoserver:gs-wms	`<2.25.6`	`2.25.6`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.