The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that attackers are actively exploiting a critical vulnerability in OSGeo GeoServer, the open-source server software used for sharing geospatial data.
The flaw, tracked as CVE-2025-58360 and carrying a CVSS score of 9.8, is an XML External Entity (XXE) vulnerability. It allows attackers to manipulate XML input to access arbitrary files, perform server-side request forgery (SSRF), or trigger denial-of-service (DoS) conditions. GeoServer maintainers explained that the vulnerability occurs because XML input sent to the /geoserver/wms endpoint for the GetMap operation is not properly sanitized, enabling malicious entity definitions within requests.
GeoServer patched the vulnerability in version 2.28.1, released on November 25, 2025. This update also fixed a medium-severity cross-site scripting (XSS) flaw tracked as CVE-2025-21621. Organizations using GeoServer packages, including docker.osgeo.org/geoserver, org.geoserver.web:gs-web-app (Maven), and org.geoserver:gs-wms (Maven), are advised to update to the latest versions—2.25.6, 2.26.3, 2.27.0, or later.
While CISA’s advisory did not provide specifics about in-the-wild exploitation, cybersecurity firms Wiz and the Canadian Cyber Centre reported that exploits targeting the XXE vulnerability have been circulating since late November. Federal agencies are required to identify and patch affected GeoServer instances within three weeks under Binding Operational Directive (BOD) 22-01.
This vulnerability marks the third GeoServer flaw actively exploited this year. Earlier in 2025, CISA highlighted attacks leveraging CVE-2022-24816 in June and CVE-2024-36401 in July, emphasizing the ongoing risk to organizations relying on GeoServer for geospatial services.
GeoServer users are urged to apply updates immediately and review their XML handling practices to prevent exploitation of similar vulnerabilities.
