GHSA-2p76-gc46-5fvc: 
Java vulnerability analysis and mitigation

GeoNetwork's WFS Index functionality is affected by a critical XML External Entity (XXE) vulnerability (CVE-2025-30220) during schema validation. The vulnerability was discovered and disclosed in June 2025, affecting GeoNetwork versions 4.4.0 through 4.4.7 and 4.2.0 through 4.2.12. The issue stems from the GeoTools Schema class's use of Eclipse XSD library for schema data structure representation, specifically in the gt-xsd-core component (GitHub Advisory, GeoTools Advisory).

The vulnerability arises from two key technical issues: the gt-xsd-core Schemas class not utilizing the EntityResolver provided by the ParserHandler, and the gt-wfs-ng DataStore's ENTITY_RESOLVER connection parameter not being used as intended. The vulnerability has received a CVSS v3.1 base score of 8.2, with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, confidentiality: High, integrity: None, and availability: Low (GitHub Advisory).

The vulnerability's impact is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files. This affects any system exposing XML processing with gt-xsd-core involved in parsing, especially when documents carry a reference to an external XML schema (GitHub Advisory, GeoTools Advisory).

The vulnerability has been patched in GeoNetwork versions 4.4.8 and 4.2.13. For users unable to update immediately, a workaround is available by removing the gn-wfsfeature-harvester and gn-camelPeriodicProducer jars, which will disable the WFS Index functionality. The fix includes API changes allowing EntityResolver to be supplied to specific methods in the Schemas class (GitHub Advisory).