""OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request," CISA said. The following packages are affected by the flaw - docker.osgeo.org/geoserver org.geoserver.web:gs-web-app (Maven) org.geoserver:gs-wms (Maven)"
"Successful exploitation of the vulnerability could allow an attacker to access arbitrary files from the server's file system, conduct Server-Side Request Forgery (SSRF) to interact with internal systems, or launch a denial-of-service (DoS) attack by exhausting resources, the maintainers of the open-source software said in an alert published late last month."
"There are currently no details available on how the security defect is being abused in real-world attacks. However, a bulletin from the Canadian Centre for Cyber Security on November 28, 2025, said "an exploit for CVE-2025-58360 exists in the wild." It's worth noting that another critical flaw in the same software (CVE-2024-36401, CVSS score: 9.8) has been exploited by multiple threat actors over the past year. Federal Civilian Executive Branch (FCEB) agencies are advised to apply the required fixes"
CVE-2025-58360 is an unauthenticated XML External Entity (XXE) vulnerability in OSGeo GeoServer with a CVSS score of 8.2. Affected versions include all releases prior to and including 2.25.5 and versions 2.26.0 through 2.26.1; patched releases include 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. The flaw can be triggered when GeoServer accepts XML input via the /geoserver/wms GetMap endpoint and allows definition of external entities. Impact can include arbitrary file access, Server-Side Request Forgery (SSRF) to internal systems, and denial-of-service through resource exhaustion. A Canadian bulletin reports an exploit in the wild and agencies are advised to apply fixes.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]