CVE-2025-30220

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

## Summary GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack. It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF). ## Details While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation. This bypasses GeoServer's AllowListEntityResolver enabling XXE attacks. ## PoC No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service. ## Impact * Information Disclosure: This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem that are accessible to the GeoServer process. This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication, making it particularly severe. * Server-Side Request Forgery (SSRF) The mechanism inherently allows forcing GeoServer to make HTTP requests to arbitrary URLs, enabling SSRF attacks against internal network resources ## References * [CVE-2025-30220](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw) XML External Entity (XXE) Processing Vulnerability in XSD schema handling * [External Entities Resolution](https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) (GeoServer User Manual) ## Acknowledgements This vulnerability was initially reported via an automated tool described below. Subsequently a duplicate report via @YacineF, and their patience working with the GeoServer project, was instrumental finding in escalating this issue and determining a resolution. ### XBOW-025-068 Disclaimer This vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

## Summary GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack. It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF). ## Details While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation. This bypasses GeoServer's AllowListEntityResolver enabling XXE attacks. ## PoC No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service. ## Impact * Information Disclosure: This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem that are accessible to the GeoServer process. This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication, making it particularly severe. * Server-Side Request Forgery (SSRF) The mechanism inherently allows forcing GeoServer to make HTTP requests to arbitrary URLs, enabling SSRF attacks against internal network resources ## References * [CVE-2025-30220](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw) XML External Entity (XXE) Processing Vulnerability in XSD schema handling * [External Entities Resolution](https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) (GeoServer User Manual) ## Acknowledgements This vulnerability was initially reported via an automated tool described below. Subsequently a duplicate report via @YacineF, and their patience working with the GeoServer project, was instrumental finding in escalating this issue and determining a resolution. ### XBOW-025-068 Disclaimer This vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

GeoServer es un servidor de código abierto que permite a los usuarios compartir y editar datos geoespaciales. El uso de la librería XSD de Eclipse por parte de la clase Esquema de GeoTools para representar la estructura de datos del esquema es vulnerable a la vulnerabilidad de Entidad Externa XML (XXE). Esto afecta a quien exponga el procesamiento XML con gt-xsd-core involucrado en el análisis, cuando los documentos contienen una referencia a un esquema XML externo. La clase Esquemas de gt-xsd-core no utiliza el EntityResolver proporcionado por ParserHandler (si se configuró alguno). Esto también afecta a los usuarios del almacén de datos gt-wfs-ng donde el parámetro de conexión ENTITY_RESOLVER no se utilizaba correctamente. Esta vulnerabilidad está corregida en GeoTools 33.1, 32.3, 31.7 y 28.6.1, GeoServer 2.27.1, 2.26.3 y 2.25.7, y GeoNetwork 4.4.8 y 4.2.13.