The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security vulnerability impacting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog. Identified as CVE-2025-58360, this high-severity flaw, with a CVSS score of 8.2, has reportedly been actively exploited in the wild, prompting immediate attention from cybersecurity professionals managing geospatial information systems.
The vulnerability stems from an improper restriction of XML external entity references within GeoServer. According to CISA, when the application processes XML input through the specific /geoserver/wms operation GetMap endpoint, an attacker can define external entities within the XML request. This opens the door for potential malicious activities, underscoring the importance of addressing this OSGeo GeoServer vulnerability swiftly.
Understanding CVE-2025-58360 and Its Impact
CVE-2025-58360 affects a range of OSGeo GeoServer versions, specifically all versions prior to and including 2.25.5, as well as versions 2.26.0 through 2.26.1. Patches have been released and are available in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. The discovery of this flaw has been attributed to the AI-powered vulnerability discovery platform XBOW.
The implications of a successful exploitation of this flaw are significant. Maintainers of the open-source software have alerted users that an attacker could potentially gain unauthorized access to arbitrary files residing on the server’s file system. Furthermore, the vulnerability can be leveraged for Server-Side Request Forgery (SSRF) attacks, enabling attackers to interact with internal systems. In a more disruptive scenario, it could also lead to denial-of-service (DoS) attacks through resource exhaustion.
The affected packages include popular deployment options like docker.osgeo.org/geoserver. Developers utilizing GeoServer through Maven repositories are also impacted, with vulnerable components identified as org.geoserver.web:gs-web-app and org.geoserver:gs-wms.
Active Exploitation and Recommended Actions
While specific details on the exact methods of real-world abuse remain scarce, a bulletin from the Canadian Centre for Cyber Security on November 28, 2025, confirmed that an exploit for CVE-2025-58360 is indeed present and active in the wild. This confirmation from a national cybersecurity agency elevates the urgency for organizations to remediate this security defect.
This is not the first time GeoServer has faced significant security challenges. Notably, another critical flaw in the same software, CVE-2024-36401, which carried a higher CVSS score of 9.8, has been exploited by multiple threat actors over the past year. This past activity highlights a recurring pattern of vulnerabilities within such widely used geospatial platforms.
Federal Agencies Urged to Patch by January 1, 2026
In response to the ongoing threat, Federal Civilian Executive Branch (FCEB) agencies have been specifically advised to implement the necessary security fixes by January 1, 2026. This deadline provides a concrete target for federal entities to secure their networks against this authenticated XML External Entity (XXE) flaw. The proactive inclusion in CISA’s KEV catalog signals that this vulnerability poses a clear and present danger to national security and critical infrastructure.
Organizations utilizing OSGeo GeoServer, regardless of their sector, are strongly recommended to review their current versions and apply the relevant patches as soon as possible. Staying informed about these evolving cybersecurity threats and promptly addressing identified vulnerabilities is paramount in maintaining a robust and secure digital environment.