CVE-2025-21621: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability (CVE-2025-21621) was discovered in GeoServer's WMS GetFeatureInfo HTML output format. The vulnerability affects versions prior to 2.25.0 and enables remote attackers to execute arbitrary JavaScript code in victims' browsers through specially crafted SLD_BODY parameters (GitHub Advisory).

The vulnerability exists due to improper neutralization of input during web page generation (CWE-79) in the WMS GetFeatureInfo HTML output format. The WMS service setting that controls HTML auto-escaping was either disabled by default or missing in affected versions. The vulnerability has a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (GitHub Advisory).

If successfully exploited, an attacker could: perform any action within the application that the user can perform, view any information that the user is able to view, modify any information that the user is able to modify, and initiate interactions with other application users that appear to originate from the initial victim user (GitHub Advisory).

The vulnerability has been patched in GeoServer version 2.25.0. For affected versions, several workarounds are available: enable GetFeatureInfo HTML auto-escaping (available in GeoServer 2.21.3+ and 2.22.1+), disable dynamic styling, or disable GetFeatureInfo text/html MIME type (GitHub Advisory).