GeoServer - XXE (CVE-2025-30220)
195Exploiting IPs reported
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
CrowdSec analysis
CVE-2025-30220 is a critical XML External Entity (XXE) vulnerability in GeoServer, stemming from improper handling of external XML schemas in the GeoTools Schema class and related components. This flaw allows remote, unauthenticated attackers to exploit XML parsing to access sensitive files, exfiltrate data, or potentially perform limited denial-of-service or server-side request forgery (SSRF) attacks.
CrowdSec has been tracking this vulnerability and its exploits since 17th of September 2025.
CrowdSec network observations suggest that most exploitation of CVE-2025-30220 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-30220 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-30220 is currently experiencing high visibility and active exploitation across the internet.
Attackers exploit this vulnerability by sending specially crafted XML payloads to GeoServer WFS endpoints such as /geoserver/wfs, /geoserver/ows, /wfs, or /ows, attempting to trigger XXE processing and exfiltrate data or perform SSRF.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.