Overview
- The flaw, tracked as CVE-2025-58360 with a CVSS score of 8.2, is an unauthenticated XML External Entity issue in the /geoserver/wms GetMap endpoint affecting GeoServer 2.26.1 and earlier versions.
- Canada’s Cyber Centre reported on November 28 that an exploit exists in the wild, and public reporting notes no technical details have been disclosed about the attack method.
- CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and directed Federal Civilian Executive Branch agencies to remediate by the due date.
- GeoServer maintainers warn exploitation can enable arbitrary file reads, server‑side request forgery to internal services, or denial‑of‑service, and patched releases are available.
- Exposure remains significant with Shadowserver tracking 2,451 GeoServer IPs and Shodan listing over 14,000 instances online, as prior GeoServer flaws were used to breach a U.S. agency in 2024.