About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
GeoServer is a widely-used open-source server for sharing, processing, and editing geospatial data. It supports multiple mapping standards and allows users to access and interact with GIS data over the web.
In June 2025, two critical security vulnerabilities in GeoServer were publicly disclosed:
- SSRF vulnerability (CVE-2024-29198)
- XXE vulnerability (CVE-2025-30220)
Both flaws allow unauthenticated attackers to read sensitive files on the server, potentially leading to full system compromise. If you are running GeoServer, immediate action is highly recommended.
Vulnerability Overview
SSRF (Server-Side Request Forgery)
When PROXY_BASE_URL is not configured, GeoServer allows unauthenticated access to the TestWfsPost endpoint. This misconfiguration can be abused to send internal or external requests via the GeoServer, resulting in SSRF.
XXE (XML External Entity)
The GeoTools library, used by GeoServer and GeoNetwork, handles XML via the Eclipse XSD library. Improper configuration of the EntityResolver allows attackers to inject malicious XML entities — enabling arbitrary file read or network access.
Risk Summary
| Detail | Value |
|---|---|
| Vulnerability Types | SSRF / XXE |
| Severity | High |
| Exploitation Method | Remote over network |
| Authentication Needed | None |
| Default Config Affected | Yes |
| User Interaction | Not required |
| Exploit Availability | No public PoC/EXP (yet) |
| Fix Complexity | Low (official patches available) |
Attackers can extract sensitive files like credentials, configuration files, or keys — possibly leading to total server takeover.
Affected Versions
SSRF (CVE-2024-29198)
- GeoServer < 2.24.4
- GeoServer < 2.25.2
XXE (CVE-2025-30220)
- GeoServer < 2.27.1, < 2.26.3, < 2.25.7
- GeoTools < 33.1, < 32.3, < 31.7, < 28.6.1
- GeoNetwork < 4.4.8, < 4.2.13
Solutions and Workarounds
SSRF Mitigation (Temporary)
If you're not using a proxy, block access to TestWfsPost by editing the web.xml file and adding the following at the end:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrict TestWfsPost</web-resource-name>
<url-pattern>/geoserver/wfs/TestWfsPost*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>none</role-name>
</auth-constraint>
</security-constraint>
SSRF Permanent Fix
Update to the patched versions:
- GeoServer 2.24.4 or 2.25.2 → Download here
XXE Mitigation (Temporary)
Ensure you provide a secure EntityResolver to the following methods:
Schemas.parse(location, locators, resolvers, uriHandlers, entityResolver);
Schemas.findSchemas(configuration, entityResolver);
XXE Permanent Fix
Upgrade to patched versions:
- GeoServer: 2.27.1, 2.26.3, 2.25.7
- GeoTools: 33.1, 32.3, 31.7, 28.6.1
- GeoNetwork: 4.4.8, 4.2.13
→ GeoServer Releases
→ GeoTools Releases
→ GeoNetwork Releases
Reproduction
SSRF
XXE
Product Support
Several security platforms have responded to the vulnerabilities:
- Yuntu: Supports fingerprint detection and PoC scanning
- Dongjian: Custom PoC support launching on 2025-06-13
- SafeLine: Custom detection rule update scheduled for 2025-06-13
- Quanxi: Rule update package expected on 2025-06-13
Timeline
- June 12, 2025 – Advisory released by Changting Security Emergency Response Center
⚠️ If you're running GeoServer in production and haven't patched yet — do it now. These are high-risk, unauthenticated vulnerabilities with low fix complexity.
Top comments (0)