CVE-2025-58360: 
Java vulnerability analysis and mitigation

GeoServer, an open source server for sharing and editing geospatial data, was found to contain an XML External Entity (XXE) vulnerability (CVE-2025-58360). The vulnerability affects versions 2.26.0 to before 2.26.2 and before 2.25.6, where the application accepts XML input through the /geoserver/wms operation GetMap endpoint without sufficient sanitization. This vulnerability was discovered and disclosed on November 25, 2025 (GitHub Advisory).

The vulnerability is classified as an XML External Entity (XXE) attack vector, where the WMS GetMap operation endpoint processes XML input without proper entity reference restrictions. The severity is rated as HIGH with a CVSS v3.1 base score of 8.2 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L). The vulnerability is tracked as CWE-611 (Improper Restriction of XML External Entity Reference) (GitHub Advisory).

The vulnerability allows attackers to read arbitrary files from the server's file system, conduct Server-Side Request Forgery (SSRF) to interact with internal systems, and potentially execute Denial of Service (DoS) attacks by exhausting system resources. The impact primarily affects confidentiality (rated High) and availability (rated Low) of the system (GitHub Advisory).

Users are advised to update to the patched versions: GeoServer 2.25.6, GeoServer 2.26.3, or GeoServer 2.27.0. These versions contain the necessary fixes to address the XXE vulnerability (GitHub Advisory).