漏洞描述
GeoServer是一个开源服务器,允许用户共享和编辑地理空间数据。该漏洞源于 /geoserver/wms 端点的 GetMap 操作在接收 XML请求时未对外部实体引用进行充分限制。攻击者可以利用该漏洞,通过构造恶意的 XML 数据注入外部实体,从而读取服务器上的敏感信息或导致拒绝服务。
GeoServer GetMap XML外部实体注入漏洞
PoC代码
暂无相关漏洞推荐
- POC CVE-2025-58360: GeoServer - XML External Entity Injection
- GeoServer /geoserver/wms GetMap XML 外部实体注入漏洞(CVE-2025-58360)
- GeoServer GetMap 未授权XXE注入漏洞(CVE-2025-58360)
- 安科瑞-智能环保云平台 /MainMonitor/ReflashMap/GetMapId SQL 注入漏洞
- POC CVE-2021-40822: Geoserver - Server-Side Request Forgery
- POC CVE-2022-24816: GeoServer <1.2.2 - Remote Code Execution
- POC CVE-2023-25157: GeoServer OGC Filter - SQL Injection
- POC CVE-2023-43795: GeoServer WPS - Server Side Request Forgery
- POC CVE-2024-29198: GeoServer Demo Request Endpoint - Server Side Request Forgery
- POC CVE-2024-36401: GeoServer RCE in Evaluating Property Name Expressions
- POC CVE-2024-36404: GeoServer and GeoTools - Remote Code Execution
- POC CVE-2025-27505: GeoServer - Missing Authorization on REST API Index
- POC CVE-2025-30220: GeoServer WFS - XXE Processing Vulnerability