High-Severity GeoServer Flaw (CVE-2025-58360) Allows Unauthenticated XXE for File Theft and SSRF
Ddos 
The maintainers of GeoServer have issued an important security advisory regarding a high-severity vulnerability that could allow unauthenticated attackers to exfiltrate sensitive files or crash servers. The flaw affects GeoServer, a widely deployed open source software server written in Java that allows users to share and edit geospatial data.
Assigned the identifier CVE-2025-58360 and a CVSS score of 8.2, the vulnerability is an XML External Entity (XXE) flaw located in the Web Map Service (WMS).
The issue stems from how the server processes data requests. According to the advisory, “the application accepts XML input through a specific endpoint/geoserver/wms operation GetMap.” The critical failure occurs because “this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request.”
An XXE attack exploits a “weakly configured XML parser” to trick the server into processing malicious references. When successfully exploited, the consequences can be severe for organizations hosting spatial data infrastructure.
The advisory warns that “this attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.” Specifically, a remote attacker could leverage this flaw to:
- Read arbitrary files directly from the server’s file system.
- Conduct Server-Side Request Forgery (SSRF) to probe and interact with internal systems behind the firewall.
- Execute Denial of Service (DoS) attacks by exhausting server resources.
System administrators running GeoServer are urged to patch immediately. The vulnerability is resolvable by upgrading to the latest secure versions. The project developers state: “Update to GeoServer 2.25.6, GeoServer 2.26.3, or GeoServer 2.27.0.”
Failure to apply these updates leaves the “WMS GetMap” operation exposed, where the “XXE vulnerability can be used to retrieve arbitrary files from the server’s file system.”
Donate