GeoServer - XXE (CVE-2025-58360)

CVE-2025-58360 is an XML External Entity (XXE) vulnerability in GeoServer versions 2.26.0 to before 2.26.2 and before 2.25.6, which allows attackers to exploit unsanitized XML input via the /geoserver/wms GetMap operation. This flaw could enable remote attackers to access sensitive files or internal resources on the server, potentially leading to information disclosure or limited denial of service.

CrowdSec has been tracking this vulnerability and its exploits since 10th of December 2025.

CrowdSec network observations suggest that most exploitation of CVE-2025-58360 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. In addition, according to the CrowdSec network, attack volume against CVE-2025-58360 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit the GeoServer WMS GetMap operation by sending crafted XML payloads to endpoints like /geoserver/wfs?service=WMS&request=GetMap or /wfs?service=WMS&request=GetMap, leveraging XML External Entity (XXE) injection to disclose files or cause denial of service.