How to fix CVE-2024-34711?

Within 24 hours: Identify all GeoServer instances in your environment and document their versions; isolate affected systems from untrusted networks if possible. Within 7 days: Upgrade to GeoServer 2.25.0 or later which includes ENTITY_RESOLUTION_ALLOWLIST by default; if upgrade is not immediately feasible, implement compensating controls listed below. Within 30 days: Complete upgrade of all remaining GeoServer instances and validate remediation through security testing.

Is Geoserver affected by CVE-2024-34711?

GeoServer instances are vulnerable to a critical XML External Entity (XXE) attack that allows attackers to bypass security filters and scan internal networks, potentially leading to data exfiltration or lateral movement.

CVE-2024-34711

EUVD-2025-17669 CRITICAL

2025-06-10 [email protected]

GHSA-mc43-4fqr-c965

9.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17669

CVE Published

Jun 10, 2025 - 15:15 nvd

CRITICAL 9.3

Description

GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.

Analysis

CVE-2024-34711 is an improper URI validation vulnerability in GeoServer that allows unauthenticated attackers to bypass XML External Entity (XXE) filtering and perform information disclosure attacks against internal networks. The vulnerability affects GeoServer versions prior to 2.25.0, where a weak regex pattern in the PreventLocalEntityResolver class fails to adequately block malicious URIs, enabling attackers to make arbitrary HTTP requests and scan internal infrastructure. With a CVSS score of 9.3 and high exploitation probability, this vulnerability poses a significant risk for network reconnaissance and potential lateral movement attacks.

Technical Context

GeoServer uses the PreventLocalEntityResolver class (from GeoTools library) to implement URI validation and filtering before resolving XML entities during document parsing. The vulnerability stems from a CWE-200 (Information Exposure) issue rooted in insufficient input validation. The current regex pattern (?i)(jar:file|http|vfs)[^?#;]*\.xsd is designed to allow only .xsd file extensions for specified protocols, but the negative character class [^?#;] fails to properly constrain the URI space. Attackers can exploit this by crafting URIs with query parameters, fragments, or other techniques to bypass the regex and reach arbitrary HTTP servers. The XXE attack vector leverages XML's DOCTYPE declarations to define external entities pointing to attacker-controlled or internal network resources. GeoServer versions 2.25.0 and later default to ENTITY_RESOLUTION_ALLOWLIST mode, which implements a positive allowlist approach rather than relying on blacklist-based regex filtering.

Affected Products

GeoServer versions prior to 2.25.0 are affected. The vulnerability impacts all installations using the default XML entity resolution configuration that rely on PreventLocalEntityResolver from GeoTools. Specific affected version ranges: GeoServer < 2.25.0 (all minor versions). GeoServer 2.25.0 and later include ENTITY_RESOLUTION_ALLOWLIST by default and are not vulnerable. No CPE strings were provided in the source data; however, the affected product family is GeoServer (CPE would be cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* with version constraints <2.25.0). Organizations using GeoServer in production should immediately verify installed version via administrative interface or package management.

Remediation

Immediate patch: Upgrade GeoServer to version 2.25.0 or later, which defaults to ENTITY_RESOLUTION_ALLOWLIST and provides proper URI validation. For organizations unable to patch immediately: (1) Enable ENTITY_RESOLUTION_ALLOWLIST feature explicitly by setting system property org.geotools.xml.ENTITY_RESOLUTION_ALLOWLIST=true and configuring allowed external schemas; (2) Implement network-level controls restricting GeoServer's outbound HTTP/HTTPS connections to known, approved servers only; (3) Disable XXE processing at the XML parser level if not required by GeoServer features; (4) Restrict network access to GeoServer admin/REST API endpoints to trusted networks only; (5) Monitor GeoServer logs for suspicious XML entity resolution attempts and unexpected outbound connections. Vendor advisory and patch details should be obtained from GeoServer security advisory page (https://geoserver.org/announcements/vulnerability/) and the GeoTools project security advisories.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

CVE-2024-34711 vulnerability details – vuln.today

Back

CVE-2024-34711

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-34711

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code