The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw affecting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of real-world exploitation.
The vulnerability in question is CVE-2025-58360 (CVSS score: 8.2), an unauthenticated XML external entity (XXE) flaw that affects all versions before 2.25.5 and versions 2.26.0 through 2.26.1. Patched in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. XBOW, an artificial intelligence (AI)-powered vulnerability discovery platform, is acknowledged for reporting this issue.
“OSGeo GeoServer contains an improper restriction on XML external entity references that occurs when an application accepts XML input through certain endpoints /geoserver/wms operation GetMap, which could allow an attacker to define external entities within an XML request,” CISA said.
The following packages are affected by this flaw:
docker.osgeo.org/geoserver org.geoserver.web:gs-web-app (Maven) org.geoserver:gs-wms (Maven)
Successful exploitation of the vulnerability could allow an attacker to access arbitrary files from the server’s file system, perform server-side request forgery (SSRF) to interact with internal systems, exhaust resources and launch a denial of service (DoS) attack, open source software administrators said in a warning published late last month.
At this time, details about how this security flaw is being exploited in real-world attacks are unknown. However, the Canadian Cyber Security Center’s November 28, 2025 bulletin states that “an exploit for CVE-2025-58360 exists.”
It is worth noting that another critical flaw in the same software (CVE-2024-36401, CVSS score: 9.8) has been exploited by multiple attackers over the past year. Federal Civilian Executive Branch (FCEB) agencies are encouraged to apply the necessary fixes by January 1, 2026 to protect their networks.
Source link
