GeoServer XML External Entity Vulnerability in WMS GetMap Operation

A vulnerability allowing XML External Entity (XXE) attacks has been identified in GeoServer versions 2.26.0 prior to 2.26.2 and versions prior to 2.25.6. This vulnerability arises because the application accepts XML input through the WMS GetMap operation without adequate sanitization. As a result, an attacker can exploit this flaw by defining external entities in the XML request, potentially leading to the disclosure of sensitive information, denial-of-service conditions, or unauthorized interactions with internal systems.

Impact

Exploitation of this vulnerability allows attackers to read arbitrary files from the server, conduct Server-Side Request Forgery (SSRF) attacks, and execute denial-of-service attacks by exhausting server resources.

Remediation

Users are advised to update GeoServer to version 2.25.6, 2.26.3, or 2.27.0.