The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a high-severity security flaw impacting OSGeo GeoServer to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation within the wild.
The vulnerability in query is CVE-2025-58360 (CVSS rating: 8.2), an unauthenticated XML Exterior Entity (XXE) flaw that impacts all variations previous to and together with 2.25.5, and from variations 2.26.0 by 2.26.1. It has been patched in variations 2.25.6, 2.26.2, 2.27.0, 2.28.0, and a pair of.28.1. Synthetic intelligence (AI)-powered vulnerability discovery platform XBOW has been acknowledged for reporting the problem.
“OSGeo GeoServer incorporates an improper restriction of XML exterior entity reference vulnerability that happens when the appliance accepts XML enter by a particular endpoint /geoserver/wms operation GetMap and will enable an attacker to outline exterior entities inside the XML request,” CISA stated.
The next packages are affected by the flaw –
- docker.osgeo.org/geoserver
- org.geoserver.net:gs-web-app (Maven)
- org.geoserver:gs-wms (Maven)
Profitable exploitation of the vulnerability might enable an attacker to entry arbitrary recordsdata from the server’s file system, conduct Server-Aspect Request Forgery (SSRF) to work together with inner methods, or launch a denial-of-service (DoS) assault by exhausting assets, the maintainers of the open-source software program stated in an alert revealed late final month.
There are at present no particulars accessible on how the security defect is being abused in real-world assaults. Nonetheless, a bulletin from the Canadian Centre for Cyber Safety on November 28, 2025, stated “an exploit for CVE-2025-58360 exists within the wild.”
It is price noting that one other essential flaw in the identical software program (CVE-2024-36401, CVSS rating: 9.8) has been exploited by a number of risk actors over the previous 12 months. Federal Civilian Govt Department (FCEB) companies are suggested to use the required fixes by January 1, 2026, to safe their networks.
