GeoServer RCE Vulnerability: What You Need to Know (CVE-2024-36401)

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

A severe remote code execution (RCE) vulnerability has been discovered in GeoServer, an open-source platform for managing and sharing geospatial data. Identified as CVE-2024-36401, this flaw allows unauthenticated attackers to execute arbitrary code on affected servers—no login required.

If you're running GeoServer in production or for research purposes, patching this should be your top priority.

What Is GeoServer?

GeoServer is a widely used open-source server that allows users to publish, edit, and share geospatial data over the web using standard protocols such as WMS, WFS, and WCS. It's popular in GIS, government, and academic systems for handling spatial datasets.

Vulnerability Summary

CVE ID: CVE-2024-36401

Type: Remote Code Execution (RCE)

Severity: High

Access Vector: Remote (No authentication required)

Impact: Full server compromise

Affected Products: Default GeoServer installations

POC Status: Concept not yet public, but attack is feasible

Patch Available: Yes

Fix Difficulty: Low

Root Cause

The vulnerability stems from the way attribute names are parsed as XPath expressions. Here’s the breakdown:

• GeoServer uses the GeoTools library, which internally passes attribute names to the commons-jxpath library.
• The jxpath library evaluates those strings as XPath—without proper sanitization.
• This behavior was originally intended only for complex feature types, but due to a misconfiguration, it’s now applied to all features, including simple ones.
• This opens the door to arbitrary code execution via malicious XPath payloads.

What Can Attackers Do?

Unauthenticated attackers can send specially crafted requests to default GeoServer endpoints and gain full control over the server.

Exploitable via:

• WFS GetFeature
• WFS GetPropertyValue
• WMS GetMap
• WMS GetFeatureInfo
• WMS GetLegendGraphic
• WPS Execute

Potential Consequences:

• Full remote code execution
• System takeover
• Data theft or manipulation
• Ransomware injection
• Lateral movement inside internal networks

Affected Versions

2.25.0 ≤ GeoServer < 2.25.2  
2.24.0 ≤ GeoServer < 2.24.4  
All versions < 2.23.6  

Mitigation & Fixes

Option 1: Upgrade to a Patched Version

Patches are available for all major versions at:

👉 https://geoserver.org/

Look for patched versions like:

• 2.25.1
• 2.24.3
• 2.23.2
• 2.21.5
• 2.20.7 and others

Replace the vulnerable JARs:

• gt-app-schema
• gt-complex
• gt-xsd-core

This is the recommended fix.

Option 2: Temporary Mitigation (Not Ideal)

You can remove the vulnerable JAR file to disable the attack surface:

# Locate the correct version based on your GeoServer setup
rm gt-complex-<version>.jar

⚠️ Warning: This may break GeoServer functionality, especially if you use extensions that depend on the gt-complex module.

Reproduction

Detection & Response Support

Several platforms already support detection of this vulnerability:

• Yuntu: Fingerprinting and PoC-based scanning supported
• Dongjian: Custom PoC detection supported
• SafeLine WAF: Built-in detection for exploitation behaviors
• Quanxi: Built-in exploitation detection supported

Timeline

• July 2, 2024 — Official advisory published
• July 2, 2024 — Vulnerability reproduced by Chaitin Security Lab
• July 2, 2024 — Public disclosure issued by Chaitin Emergency Response Center

References

• GitHub Advisory: GHSA-6jj6-gm7p-fcvv

Join the SafeLine Community

Want to try a powerful, open source WAF?

• GitHub Repository
• Official Docs
• Discord Community