Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> - it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.
AnalysisAI
Denial of service in MapServer 6.4.0 through 8.6.2 allows remote unauthenticated attackers to crash the server by submitting a small well-formed SLD document via the WMS SLD_BODY= parameter. The flaw is a NULL pointer dereference reached when an SLD <Rule> carries <ElseFilter/> but defines no symbolizer, causing the styling code to index a class array at position -1. No public exploit has been identified at time of analysis, and the issue is fixed in version 8.6.3.
Technical ContextAI
MapServer is a widely deployed open-source server for web-based GIS that implements OGC services including WMS. The vulnerability lives in its Styled Layer Descriptor (SLD) handling: msSLDParseUserStyle unconditionally calls _SLDApplyRuleValues(psRule, psLayer, 1) for any rule containing <ElseFilter/>, assuming msSLDParseRule had created exactly one class. When the rule is structurally valid but contains no symbolizer, msSLDParseRule adds zero classes, so _SLDApplyRuleValues dereferences _class[-1]. This maps to CWE-129 (Improper Validation of Array Index): the code trusts an assumed array length instead of checking the actual class count before indexing, and the resulting negative index produces a NULL pointer dereference and process crash.
RemediationAI
Apply the vendor-released patch: upgrade to MapServer 8.6.3, which contains the fix. Where immediate upgrade is not possible, reduce exposure by disabling or restricting user-supplied SLD on the WMS service - block or reject the SLD_BODY and SLD parameters at a reverse proxy or WAF, and restrict network access to the WMS endpoint to trusted clients; the trade-off is that legitimate clients relying on dynamic SLD styling will lose that capability until patched. Refer to the advisory at https://github.com/MapServer/MapServer/security/advisories/GHSA-4h8g-378q-r75m for authoritative guidance.
Stack-based buffer overflow in MapServer before 6.0.6, 6.2.x before 6.2.4, 6.4.x before 6.4.5, and 7.0.x before 7.0.4 al
In MapServer before 7.0.3, OGR driver error messages are too verbose and may leak sensitive information if data connecti
SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when
Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaSc
MapServer versions 4.2 through 8.6.0 are vulnerable to a heap buffer overflow in the SLD (Styled Layer Descriptor) parse
MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x before 7.4.5, and 7.5.x and 7.6.x before 7.6.3 doe
MapServer is a system for developing web-based GIS applications. Rated high severity (CVSS 8.9), this vulnerability is r
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32631