CVE-2025-30220 — CRITICAL (9.9)

Q: How severe is CVE-2025-30220?

CVE-2025-30220 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2025-30220?

Check the references section above for vendor advisories and patch information. Affected products include: Geotools Geotools, Osgeo Geonetwork, Osgeo Geoserver.

Vulnerability Description

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Geotools	Geotools	< 28.6.1
Osgeo	Geonetwork	>= 4.2.0, < 4.2.13
Osgeo	Geoserver	< 2.25.7

Related Weaknesses (CWE)

CWE-918 CWE-611

References

https://docs.geoserver.org/latest/en/user/production/config.html#production-confProduct
https://github.com/geonetwork/core-geonetwork/pull/8757Patch
https://github.com/geonetwork/core-geonetwork/pull/8803Patch
https://github.com/geonetwork/core-geonetwork/pull/8812Patch
https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46PatchThird Party Advisory
https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pcExploitPatchThird Party Advisory
https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vwThird Party Advisory

FAQ

What is CVE-2025-30220?

CVE-2025-30220 is a vulnerability with a CVSS score of 9.9 (CRITICAL). GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML Externa...

How severe is CVE-2025-30220?

CVE-2025-30220 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-30220?

Check the references section above for vendor advisories and patch information. Affected products include: Geotools Geotools, Osgeo Geonetwork, Osgeo Geoserver.