CVE-2025-58360

HIGH KEV NUCLEI LAB

GeoServer WMS GetMap XXE Arbitrary File Read

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2025-58360 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 11, 2025. EIP tracks 8 public exploits from researchers including quyenheu, thomas-osgood, dyeat, including a Metasploit module auxiliary/gather/geoserver_wms_getmap_xxe_file_read. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an XXE vulnerability in GeoServer versions 2.26.0 to 2.26.2 and before 2.25.6. It sends a crafted XML payload to the /geoserver/wms endpoint to read /etc/passwd.

Description

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Exploits (8)

nomisec WORKING POC 4 stars
by quyenheu · infoleak
https://github.com/quyenheu/CVE-2025-58360

This PoC demonstrates an XXE vulnerability in GeoServer versions 2.26.0 to 2.26.2 and before 2.25.6. It sends a crafted XML payload to the /geoserver/wms endpoint to read /etc/passwd.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GeoServer 2.26.0 to 2.26.2 and before 2.25.6
No auth needed
Prerequisites: Network access to the GeoServer instance · WMS service enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by thomas-osgood · infoleak
https://github.com/thomas-osgood/cve-2025-58360

This repository contains a Python-based exploit for CVE-2025-58360, an XXE vulnerability in GeoServer. The exploit automates the process of leaking arbitrary files from a vulnerable GeoServer instance by crafting malicious XML payloads and extracting the leaked data from the server's response.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GeoServer (version not specified)
No auth needed
Prerequisites: Network access to the vulnerable GeoServer instance · Knowledge of the target file path to leak
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by dyeat · pythonpoc
https://github.com/dyeat/cve-reproduction/tree/main/GeoServer/GeoServer/CVE-2025-58360

The repository contains functional exploit code for CVE-2025-58360, targeting GeoServer. The PoC demonstrates an information disclosure vulnerability, as evidenced by the presence of screenshots showing the retrieval of sensitive files like /etc/passwd.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GeoServer
No auth needed
Prerequisites: Network access to vulnerable GeoServer instance
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec WRITEUP
by quyenheu · poc
https://github.com/quyenheu/Bypass-CVE-2025-58360

This repository describes a bypass technique for CVE-2025-58360, an unauthenticated XXE vulnerability in GeoServer. The attack leverages the WMS GetMap operation via the OWS endpoint to bypass WAF protections.

Classification
Writeup 80%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Theoretical
Target: GeoServer (version not specified)
No auth needed
Prerequisites: Access to a vulnerable GeoServer instance · Ability to send crafted XML payloads
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Joker-Wiggin · infoleak
https://github.com/Joker-Wiggin/CVE-2025-58360-GeoServer-XXE

This is a functional PoC for CVE-2025-58360, demonstrating an unauthenticated XXE vulnerability in GeoServer's WMS GetMap endpoint via the SLD_BODY parameter. The exploit includes educational explanations and supports file reading and SSRF probing.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GeoServer 2.25.5 and earlier
No auth needed
Prerequisites: Network access to vulnerable GeoServer instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by rxerium · poc
https://github.com/rxerium/CVE-2025-58360

This repository provides a Nuclei template for detecting CVE-2025-58360, an unauthenticated XXE vulnerability in GeoServer versions prior to 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. The script checks headers for the last updated date to identify vulnerable instances.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GeoServer versions prior to 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1
No auth needed
Prerequisites: Nuclei installed · Target URL or list of URLs
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by carlzhang123 · poc
https://github.com/carlzhang123/Blackash-CVE-2025-58360

This repository contains a detailed writeup and proof-of-concept examples for CVE-2025-58360, an XXE vulnerability in GeoServer's WMS endpoint. It includes technical details, affected versions, and exploit examples for file disclosure, SSRF, and DoS attacks.

Classification
Writeup 100%
Attack Type
Info Leak | Ssrf | Dos
Complexity
Trivial
Reliability
Reliable
Target: GeoServer (2.26.0 – 2.26.1, ≤ 2.25.5)
No auth needed
Prerequisites: Access to the GeoServer WMS endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by xbow-security · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/geoserver_wms_getmap_xxe_file_read.rb

This Metasploit module exploits an XXE vulnerability in GeoServer via the WMS GetMap operation to read arbitrary files from the server's filesystem. The exploit crafts a malicious SLD payload with an external entity reference and extracts the file content from the error response.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GeoServer (>= 2.26.0, <= 2.26.1 and <= 2.25.5)
No auth needed
Prerequisites: Network access to the GeoServer instance · WMS service enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

GeoServer - XML External Entity Injection
HIGHVERIFIEDby lbb,xbow,darses
Shodan: title:"geoserver" || http.html_hash:1093634893 "Content-Disposition: inline" || http.favicon.hash:97540678 || html:"/geoserver/"
FOFA: title="geoserver" || app="geoserver" || icon_hash="97540678" || body="/geoserver/"

References (3)

Core 3

Scores

CVSS v3 8.2
EPSS 0.8139
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull docker.osgeo.org/geoserver:2.25.5
docker pull docker.osgeo.org/geoserver:2.27.0
+5 more repos

Details

CISA KEV 2025-12-11
VulnCheck KEV 2025-12-05
ENISA EUVD EUVD-2025-199606
CWE
CWE-611
Status published
Products (3)
geoserver/geoserver < 2.25.6
org.geoserver/gs-wms 2.26.0 - 2.26.2Maven
org.geoserver.web/gs-web-app 2.26.0 - 2.26.2Maven
Published Nov 25, 2025
KEV Added Dec 11, 2025
Tracked Since Feb 18, 2026