Ddos 
The Apache Software Foundation has issued a security advisory for the Apache Spatial Information System (SIS), a key Java library used for developing geospatial applications. A newly discovered vulnerability, tracked as CVE-2025-68280, exposes systems to XML External Entity (XXE) attacks, potentially allowing malicious actors to read sensitive local files from the server.
Rated as Moderate severity, the flaw affects a decade’s worth of releases, spanning versions 0.4 through 1.5.
The vulnerability stems from an “Improper Restriction of XML External Entity Reference,” a common class of web security flaws where an application processes untrusted XML data without disabling external references.
In this case, the analysis reveals that “It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server” . This means an attacker could craft a malicious map or metadata file, upload it to an application using SIS, and trick the server into sending back the contents of its own password files or configuration data.
The advisory highlights exactly which geospatial data formats are risky. Since Apache SIS is designed to manipulate complex geographic structures, the vulnerability surfaces in several key parsing services:
- GeoTIFF Files: Specifically those containing the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG).
- ISO 19115 Metadata: When parsing metadata in XML format.
- Coordinate Reference Systems: When defined in the Geography Markup Language (GML) format.
- GPS Data: When parsing files in the popular GPS Exchange Format (GPX).
Users of the library are strongly recommended to upgrade to Apache SIS version 1.6, which resolves the issue by enforcing stricter XML parsing rules.
For teams unable to upgrade immediately, a workaround exists. Administrators can launch their Java applications with the javax.xml.accessExternalDTD system property set to an empty list or a strict whitelist of authorized protocols. This prevents the XML parser from reaching out to external or local system entities, effectively neutralizing the attack vector.
Related Posts:
- US Department of Homeland Security alert Malware Targeting Industrial Safety Systems
- Dragos’s reseacher: Trisis malware has expanded its target
- Google Maps Platform Goes Online: Provides Location Based Services for Third Party Applications
- Microsoft to Remove Built-in Maps App from Windows 11 in July 2025
Donate