CVE-2025-58360
Published: 25 November 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-58360 is an XML External Entity (XXE) vulnerability (CWE-611) in GeoServer, an open-source server for sharing and editing geospatial data. It affects versions from 2.26.0 up to but excluding 2.26.2, as well as versions prior to 2.25.6. The issue stems from the /geoserver/wms operation GetMap endpoint, which accepts unsanitized XML input, allowing attackers to define external entities in requests. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L), indicating high severity due to network accessibility and significant confidentiality impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables high-impact confidentiality violations, such as unauthorized disclosure of sensitive files on the server via external entity expansion, alongside low-impact availability effects.
GeoServer's security advisory (GHSA-fjf5-xgmq-5525) and issue tracker (GEOS-11682) confirm patches in versions 2.25.6, 2.26.3, and 2.27.0. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities Catalog, signaling real-world exploitation and urging immediate mitigation by affected organizations.
Details
- CWE(s)
- KEV Date Added
- 11 December 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The XXE vulnerability in GeoServer's public-facing WMS GetMap endpoint (T1190: Exploit Public-Facing Application) enables unauthenticated remote attackers to disclose sensitive files from the local system (T1005: Data from Local System) via external entity expansion.