GeoServer - XXE (CVE-2025-30220)

CVE-2025-30220 is a critical XML External Entity (XXE) vulnerability in GeoServer, stemming from improper handling of external XML schemas in the GeoTools Schema class and related components. This flaw allows remote, unauthenticated attackers to exploit XML parsing to access sensitive files, exfiltrate data, or potentially perform limited denial-of-service or server-side request forgery (SSRF) attacks.

CrowdSec has been tracking this vulnerability and its exploits since 17th of September 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2025-30220 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. In addition, according to the CrowdSec network, attack volume against CVE-2025-30220 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit this vulnerability by sending specially crafted XML payloads to GeoServer WFS endpoints such as /geoserver/wfs, /geoserver/ows, /wfs, or /ows, attempting to trigger XXE processing and exfiltrate data or perform SSRF.