CVE-2025-58360
Published: 25 November 2025
Summary
CVE-2025-58360 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Geoserver Geoserver. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of XML inputs at the GetMap endpoint to block malicious external entity definitions and prevent XXE exploitation.
Directly addresses the identified XXE flaw through timely patching to GeoServer versions 2.25.6, 2.26.3, or 2.27.0.
Enforces secure configuration of XML parsers in GeoServer to disable external entity processing and DTD expansion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The XXE vulnerability in GeoServer's public-facing WMS GetMap endpoint (T1190: Exploit Public-Facing Application) enables unauthenticated remote attackers to disclose sensitive files from the local system (T1005: Data from Local System) via external entity expansion.
NVD Description
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific…
more
endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.
Deeper analysisAI
CVE-2025-58360 is an XML External Entity (XXE) vulnerability (CWE-611) in GeoServer, an open-source server for sharing and editing geospatial data. It affects versions from 2.26.0 up to but excluding 2.26.2, as well as versions prior to 2.25.6. The issue stems from the /geoserver/wms operation GetMap endpoint, which accepts unsanitized XML input, allowing attackers to define external entities in requests. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L), indicating high severity due to network accessibility and significant confidentiality impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables high-impact confidentiality violations, such as unauthorized disclosure of sensitive files on the server via external entity expansion, alongside low-impact availability effects.
GeoServer's security advisory (GHSA-fjf5-xgmq-5525) and issue tracker (GEOS-11682) confirm patches in versions 2.25.6, 2.26.3, and 2.27.0. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities Catalog, signaling real-world exploitation and urging immediate mitigation by affected organizations.
Details
- CWE(s)
- KEV Date Added
- 11 December 2025