CVE Tools
Sign in

CVE-2025-30220

GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling

Published: Jun 10, 2025Updated: Aug 26, 2025 Sources: CVE List NVD GHSA BDUCWE-611
NVD MITRE
9.9CVSSCRITICAL
EPSS Score
49.2%
Top 1.3%
CISA KEV
Not in KEV
Exploits
1 Known
Remediation
Patch Available
Am I actually vulnerable?1 Nuclei template available — see how to check your systems. How to verify

Description

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:CC:HI:LA:L
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:CScope
Changed
Impact
C:HConfidentiality
High
I:LIntegrity
Low
A:LAvailability
Low
Open in CVSS calculator →

Weaknesses

CWE-611CWE-918

Affected Products

geotoolsgeotools
Library
OSS Libraries / generic-library
geonetworkosgeo
Mixed
OSS Libraries / generic-library
geoserverosgeo
Mixed
OSS Libraries / generic-library
org.geoserver.web:gs-web-appMavenOSS Libraries
org.geoserver:gs-wfsMavenOSS Libraries
geotoolsoss-projectOSS Libraries
osgeooss-projectOSS Librariesaka gdal, geoserver, mapserver
mavenpackage-ecosystemOSS Libraries
and 3 more affected products View all →

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

1 exploit source identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available

MITRE ATT&CK

3 techniques
Collection
Command and Control
Initial Access
View detailed technique mapping

References

https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities
docs.geoserver.org
https://github.com/geonetwork/core-geonetwork/pull/8757
github.com
https://github.com/geonetwork/core-geonetwork/pull/8803
github.com
and 6 more references View all →

Timeline

Published
Jun 10, 2025
Last Updated
Aug 26, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-30220 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows