GHSA-2p76-gc46-5fvc: 
Java vulnerability analysis and mitigation

GeoServer's GeoTools Schema class, which uses Eclipse XSD library for schema data structure representation, is vulnerable to XML External Entity (XXE) exploitation (CVE-2025-30220). The vulnerability affects GeoNetwork versions 4.4.0 through 4.4.7 and 4.2.0 through 4.2.12, particularly impacting the WFS Index functionality during schema validation. This security issue was discovered and disclosed in June 2025, affecting multiple components including GeoTools, GeoServer, and GeoNetwork (GitHub Advisory).

The vulnerability stems from the gt-xsd-core Schemas class not utilizing the EntityResolver provided by the ParserHandler. Additionally, the gt-wfs-ng DataStore's ENTITY_RESOLVER connection parameter was not being used as intended. The vulnerability has received a CVSS v3.1 base score of 8.2, with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, confidentiality: High, integrity: None, and availability: Low (GeoTools Advisory).

The vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files. This impacts any system exposing XML processing with gt-xsd-core involved in parsing, especially when documents carry a reference to an external XML schema (GitHub Advisory).

The vulnerability has been patched in GeoNetwork versions 4.4.8 and 4.2.13. For users unable to update immediately, a workaround is available by removing the gn-wfsfeature-harvester and gn-camelPeriodicProducer jars, which will disable the WFS Index functionality. The fix includes API changes allowing EntityResolver to be supplied to specific methods in the Schemas class (GitHub Advisory).