Key Takeaways
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog.
- The vulnerability, CVE-2025-58360, is an unauthenticated XML External Entity (XXE) flaw that affects all versions prior to and including 2.25.5, and from versions 2.26.0 through 2.26.1.
- Successful exploitation of the vulnerability could allow an attacker to access arbitrary files from the server’s file system, conduct Server-Side Request Forgery (SSRF) to interact with internal systems, or launch a denial-of-service (DoS) attack by exhausting resources.
- The vulnerability has been patched in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1.
- Federal Civilian Executive Branch (FCEB) agencies are advised to apply the required fixes by January 1, 2026, to secure their networks.
Introduction to the Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a high-severity security flaw impacting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, identified as CVE-2025-58360, has a CVSS score of 8.2, indicating a significant risk to affected systems. The flaw is an unauthenticated XML External Entity (XXE) vulnerability that affects all versions prior to and including 2.25.5, and from versions 2.26.0 through 2.26.1. This means that any system running these versions of OSGeo GeoServer is potentially vulnerable to exploitation.
Technical Details of the Vulnerability
The vulnerability occurs when the application accepts XML input through a specific endpoint, /geoserver/wms operation GetMap. This allows an attacker to define external entities within the XML request, which can lead to the exploitation of the vulnerability. The affected packages include docker.osgeo.org/geoserver, org.geoserver.web:gs-web-app (Maven), and org.geoserver:gs-wms (Maven). Successful exploitation of the vulnerability could allow an attacker to access arbitrary files from the server’s file system, conduct Server-Side Request Forgery (SSRF) to interact with internal systems, or launch a denial-of-service (DoS) attack by exhausting resources.
Consequences of Exploitation
The consequences of exploiting this vulnerability can be severe. An attacker could use the vulnerability to access sensitive files on the server, potentially leading to data breaches or other security incidents. Additionally, the vulnerability could be used to conduct Server-Side Request Forgery (SSRF) attacks, which could allow an attacker to interact with internal systems or services that are not intended to be accessible from the internet. Finally, the vulnerability could be used to launch a denial-of-service (DoS) attack, which could cause the server to become unresponsive or even crash.
Mitigation and Remediation
To mitigate the risk of exploitation, it is essential to apply the required fixes as soon as possible. The vulnerability has been patched in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. Federal Civilian Executive Branch (FCEB) agencies are advised to apply the required fixes by January 1, 2026, to secure their networks. It is also important to note that another critical flaw in the same software (CVE-2024-36401, CVSS score: 9.8) has been exploited by multiple threat actors over the past year, highlighting the importance of keeping software up to date and secure.
Real-World Exploitation
While there are currently no details available on how the security defect is being abused in real-world attacks, a bulletin from the Canadian Centre for Cyber Security on November 28, 2025, stated that "an exploit for CVE-2025-58360 exists in the wild." This suggests that threat actors are actively exploiting the vulnerability, making it essential to apply the required fixes as soon as possible. The fact that the vulnerability has been added to the CISA’s Known Exploited Vulnerabilities (KEV) catalog also highlights the importance of addressing the issue promptly.
Conclusion
In conclusion, the high-severity security flaw impacting OSGeo GeoServer is a significant risk to affected systems. The vulnerability, CVE-2025-58360, can be exploited to access arbitrary files from the server’s file system, conduct Server-Side Request Forgery (SSRF) attacks, or launch a denial-of-service (DoS) attack. To mitigate the risk of exploitation, it is essential to apply the required fixes as soon as possible. Federal Civilian Executive Branch (FCEB) agencies are advised to apply the required fixes by January 1, 2026, to secure their networks. By taking prompt action, organizations can help protect themselves against potential security incidents and ensure the integrity of their systems.
/file/dailymaverick/wp-content/uploads/2025/07/PHOTO-2025-06-10-14-44-52.jpg?w=768&resize=768,0&ssl=1 "Joburg Enters Second Phase of Water Maintenance Amid Ongoing Recovery")
/file/dailymaverick/wp-content/uploads/2025/07/PHOTO-2025-06-10-14-44-52.jpg?w=300&resize=300,300&ssl=1 "Joburg Enters Second Phase of Water Maintenance Amid Ongoing Recovery")
:max_bytes(150000):strip_icc()/kristin-cabot-091925-0adcc47a62e8489bb76441663823ae3c.jpg?w=300&resize=300,300&ssl=1 "Coldplay Concert Kiss Cam Star Kristin Cabot Speaks Out")
