CVE-2025-30220: 
Java vulnerability analysis and mitigation

GeoServer is an open source server that allows users to share and edit geospatial data. A critical vulnerability (CVE-2025-30220) was discovered in GeoTools Schema class use of Eclipse XSD library, affecting GeoServer versions prior to 2.27.1, 2.26.3, and 2.25.7. The vulnerability was disclosed on June 10, 2025, impacting XML processing with gt-xsd-core involved in parsing when documents carry a reference to an external XML schema (GeoTools Advisory).

The vulnerability stems from the gt-xsd-core Schemas class not using the EntityResolver provided by the ParserHandler. This affects the GeoTools library when building an in-memory XSD Library Schema representation, bypassing GeoServer's AllowListEntityResolver and enabling XXE attacks. The vulnerability has been assigned a CVSS v3.1 score of 9.9 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L (GeoServer Advisory).

The vulnerability allows unauthenticated attackers to perform XML External Entity (XXE) processing attacks, enabling Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process and Service Side Request Forgery (SSRF). This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication (GeoServer Advisory).

The vulnerability has been fixed in GeoTools versions 33.1, 32.3, 31.7, and 28.6.1, corresponding to GeoServer versions 2.27.1, 2.26.3, and 2.25.7. The fix includes an API change that allows EntityResolver to be supplied to specific methods in the Schemas class. For systems that cannot immediately update, administrators can configure external entity resolution restrictions using the ENTITYRESOLUTIONALLOWLIST property (GeoServer Config).