Add GeoServer WMS GetMap XXE file read module (CVE-2025-58360) #20767
+244
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Chocapikk
force-pushed
the
geoserver
branch
3 times, most recently
from
2d64527 to
99e4c78
Compare
jvoisin
reviewed
Dec 12, 2025
| <!DOCTYPE StyledLayerDescriptor [ | ||
| <!ENTITY #{entity_name} SYSTEM "file://#{file_path}"> | ||
| ]> | ||
| <StyledLayerDescriptor version="1.0.0"> |
Contributor
There was a problem hiding this comment.
nit: can the version be randomized?
Comment on lines
75
to
83
| # Randomize bbox coordinates (valid geographic bounds) using Rex::Text | ||
| # Generate min_x, max_x ensuring min_x < max_x | ||
| min_x = (-180.0 + (Rex::Text.rand_text_numeric(3).to_i % 179)).round(2) | ||
| max_x = (min_x + 0.1 + (Rex::Text.rand_text_numeric(3).to_i % ((180.0 - min_x) * 10).to_i) / 10.0).round(2) | ||
| max_x = [max_x, 180.0].min | ||
|
|
||
| # Generate min_y, max_y ensuring min_y < max_y | ||
| min_y = (-90.0 + (Rex::Text.rand_text_numeric(2).to_i % 89)).round(2) | ||
| max_y = (min_y + 0.1 + (Rex::Text.rand_text_numeric(2).to_i % ((90.0 - min_y) * 10).to_i) / 10.0).round(2) |
Contributor
There was a problem hiding this comment.
Pretty sure this could be simplified to some calls to rand
Co-authored-by: Julien Voisin <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Metasploit Team,
Description
This PR adds an auxiliary module for CVE-2025-58360, an XML External Entity (XXE) vulnerability in GeoServer that allows unauthenticated attackers to read arbitrary files from the server's file system via the WMS GetMap operation.
Vulnerability Overview
GeoServer versions <= 2.25.5 and >= 2.26.0, <= 2.26.1 contain an XXE vulnerability in the WMS GetMap operation. The vulnerability occurs when processing Styled Layer Descriptor (SLD) XML data, which allows attackers to inject malicious XML entities that reference local files.
This allows unauthenticated attackers to:
The vulnerability is accessible through the
/geoserver/wmsendpoint by sending a POST request with a malicious SLD containing an XXE entity. The file content is returned in the error message when the layer name contains the XXE entity reference.Module Capabilities
Testing
Successfully tested against GeoServer 2.25.5 using Docker. The module successfully reads files such as
/etc/passwdand other system files.Thanks!