CISA Flags GeoServer Security Flaw Amid Cybersecurity Concerns

The U.S. Cybersecurity and Infrastructure Security Agency, CISA, has added a high-severity security flaw in OSGeo GeoServer to its Known Exploited Vulnerabilities catalog due to active exploitation evidence.

The vulnerability identified as CVE-2025-58360 has a CVSS score of 8.2 and affects all versions of GeoServer up to and including 2.25.5, and from versions 2.26.0 through 2.26.1. It has been patched in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1.

The flaw is classified as an unauthenticated XML External Entity or XXE vulnerability, which can allow attackers to access arbitrary files from the server's file system, conduct Server-Side Request Forgery, or launch denial-of-service attacks.

CISA specifically noted that the vulnerability occurs when XML input is accepted through the /geoserver/wms operation GetMap. The affected packages include docker.osgeo.org/geoserver, org.geoserver.web:gs-web-app, and org.geoserver:gs-wms.

Although there are currently no details on how this flaw is being exploited in real-world attacks, a bulletin from the Canadian Centre for Cyber Security on November 28, 2025, confirmed that an exploit for CVE-2025-58360 exists in the wild.

Additionally, another critical flaw in GeoServer, CVE-2024-36401 with a CVSS score of 9.8, has been exploited by multiple threat actors over the past year. Federal Civilian Executive Branch agencies are advised to apply the necessary fixes by January 1, 2026, to secure their networks.