What is the CVSS score of EUVD-2025-17669?

EUVD-2025-17669 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of Geoserver are affected by EUVD-2025-17669?

GeoServer instances are vulnerable to a critical XML External Entity (XXE) attack that allows attackers to bypass security filters and scan internal networks, potentially leading to data exfiltration…. A patch is available.

How to fix or mitigate EUVD-2025-17669?

Within 24 hours: Identify all GeoServer instances in your environment and document their versions; isolate affected systems from untrusted networks if possible. Within 7 days: Upgrade to GeoServer 2.25.0 or later which includes ENTITY_RESOLUTION_ALLOWLIST by default; if upgrade is not immediately feasible, implement compensating controls listed below. Within 30 days: Complete upgrade of all remaining GeoServer instances and validate remediation through security testing.

Geoserver EUVD-2025-17669

| CVE-2024-34711 CRITICAL

Information Exposure (CWE-200)

2025-06-10 security-advisories@github.com

GHSA-mc43-4fqr-c965

Authentication Bypass Geoserver

9.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17669

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

CVE Published

Jun 10, 2025 - 15:15 nvd

CRITICAL 9.3

DescriptionGitHub Advisory

GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.

AnalysisAI

CVE-2024-34711 is an improper URI validation vulnerability in GeoServer that allows unauthenticated attackers to bypass XML External Entity (XXE) filtering and perform information disclosure attacks against internal networks. The vulnerability affects GeoServer versions prior to 2.25.0, where a weak regex pattern in the PreventLocalEntityResolver class fails to adequately block malicious URIs, enabling attackers to make arbitrary HTTP requests and scan internal infrastructure. With a CVSS score of 9.3 and high exploitation probability, this vulnerability poses a significant risk for network reconnaissance and potential lateral movement attacks.

Technical ContextAI

GeoServer uses the PreventLocalEntityResolver class (from GeoTools library) to implement URI validation and filtering before resolving XML entities during document parsing. The vulnerability stems from a CWE-200 (Information Exposure) issue rooted in insufficient input validation. The current regex pattern (?i)(jar:file|http|vfs)[^?#;]*\.xsd is designed to allow only .xsd file extensions for specified protocols, but the negative character class [^?#;] fails to properly constrain the URI space. Attackers can exploit this by crafting URIs with query parameters, fragments, or other techniques to bypass the regex and reach arbitrary HTTP servers. The XXE attack vector leverages XML's DOCTYPE declarations to define external entities pointing to attacker-controlled or internal network resources. GeoServer versions 2.25.0 and later default to ENTITY_RESOLUTION_ALLOWLIST mode, which implements a positive allowlist approach rather than relying on blacklist-based regex filtering.

RemediationAI

Immediate patch: Upgrade GeoServer to version 2.25.0 or later, which defaults to ENTITY_RESOLUTION_ALLOWLIST and provides proper URI validation. For organizations unable to patch immediately: (1) Enable ENTITY_RESOLUTION_ALLOWLIST feature explicitly by setting system property org.geotools.xml.ENTITY_RESOLUTION_ALLOWLIST=true and configuring allowed external schemas; (2) Implement network-level controls restricting GeoServer's outbound HTTP/HTTPS connections to known, approved servers only; (3) Disable XXE processing at the XML parser level if not required by GeoServer features; (4) Restrict network access to GeoServer admin/REST API endpoints to trusted networks only; (5) Monitor GeoServer logs for suspicious XML entity resolution attempts and unexpected outbound connections. Vendor advisory and patch details should be obtained from GeoServer security advisory page (https://geoserver.org/announcements/vulnerability/) and the GeoTools project security advisories.

EUVD-2025-17669 vulnerability details – vuln.today

Back

Geoserver EUVD-2025-17669

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code