1. Home
  2. Vulnerabilities
  3. CVE-2024-36401
Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2024-36401
OSGeo GeoServer GeoTools Eval Injection Vulnerability - [Actively Exploited]
Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

INFO

Published Date :

July 1, 2024, 4:15 p.m.

Last Modified :

Aug. 25, 2025, 2:17 a.m.

Remotely Exploit :

Yes !

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.

Required Action :

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Notes :

This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, https://github.com/geotools/geotools/pull/4797 ; https://nvd.nist.gov/vuln/detail/CVE-2024-36401

Affected Products

The following products are affected by CVE-2024-36401 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Geoserver geoserver
1 Geotools geotools
1 Osgeo geoserver
: Total Affected Vendor : 3 | Products : 3
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 CRITICAL [email protected]
Solution
This information is provided by the 3rd party feeds.
  • See vendor advisory.
Public PoC/Exploit Available at Github

CVE-2024-36401 has a 78 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-36401.

URL Resource
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Exploit Third Party Advisory
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Mitigation Vendor Advisory
https://github.com/geotools/geotools/pull/4797 Issue Tracking Patch
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Exploit Vendor Advisory
https://osgeo-org.atlassian.net/browse/GEOT-7587 Vendor Advisory
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Exploit Third Party Advisory
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Mitigation Vendor Advisory
https://github.com/geotools/geotools/pull/4797 Issue Tracking Patch
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Exploit Vendor Advisory
https://osgeo-org.atlassian.net/browse/GEOT-7587 Vendor Advisory
https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 Exploit Third Party Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-36401 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-36401 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
URJACK2025/CVE-2024-36401

An Python Exp For "GeoServer"

Python

Updated: 1 week, 5 days ago
1 stars 0 fork 0 watcher
Born at : Oct. 4, 2025, 9:28 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
paultheal1en/auto_pen_bench_web

None

Makefile Python Dockerfile PHP Hack CSS HTML Ruby Groovy Java

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : Aug. 5, 2025, 1:21 a.m. This repo has been linked 11 different CVEs too.
Profile Photo
0day404/HV-2024-POC

护网2024-POC收录备份

Updated: 2 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Aug. 4, 2025, 1:25 p.m. This repo has been linked 119 different CVEs too.
Profile Photo
holokitty/Exploit-CVE-2024-36401

Python exploit for GeoServer (CVE-2024-36401) with JSP web shell upload

Updated: 2 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : July 21, 2025, 6:40 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
sparktsao/auto-pen-bench-study

None

Makefile Python Dockerfile Shell C PHP Hack CSS HTML Ruby

Updated: 3 months ago
0 stars 0 fork 0 watcher
Born at : July 13, 2025, 8:56 p.m. This repo has been linked 11 different CVEs too.
Profile Photo
Lern0n/Lernon-POC

备份的漏洞库,3月开始我们来维护

Updated: 3 months ago
2 stars 0 fork 0 watcher
Born at : June 30, 2025, 9:14 a.m. This repo has been linked 216 different CVEs too.
Profile Photo
oLy0/Vulnerability

None

Updated: 4 months ago
0 stars 0 fork 0 watcher
Born at : June 15, 2025, 2:32 a.m. This repo has been linked 216 different CVEs too.
Profile Photo
zulloper/cve-poc

CVE POC repo 자동 수집기

Python

Updated: 1 day, 20 hours ago
3 stars 1 fork 1 watcher
Born at : June 8, 2025, 3:07 p.m. This repo has been linked 157 different CVEs too.
Profile Photo
bright-angel/sec-repos

安全项目集合

Updated: 3 months, 3 weeks ago
1 stars 0 fork 0 watcher
Born at : May 30, 2025, 3:08 a.m. This repo has been linked 40 different CVEs too.
Profile Photo
oLy0/Vulnerability

None

Updated: 4 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : May 30, 2025, 2:59 a.m. This repo has been linked 213 different CVEs too.
Profile Photo
Satan0x00/dddd-

dddd 二开长期维护版

Updated: 4 months, 3 weeks ago
1 stars 0 fork 0 watcher
Born at : May 24, 2025, 1:23 p.m. This repo has been linked 16 different CVEs too.
Profile Photo
lowsuet/CVE-2024-36401

geoserver图形化漏洞利用工具

Go

Updated: 5 months, 1 week ago
24 stars 0 fork 0 watcher
Born at : May 6, 2025, 9:51 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
12442RF/POC

None

HTML

Updated: 5 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : May 6, 2025, 2:20 a.m. This repo has been linked 201 different CVEs too.
Profile Photo
cochaviz/cve-2024-36401-poc

A poc for cve-2024-36401 for applications using GeoTools for WMS data retrieval

Updated: 5 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : May 4, 2025, 12:15 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
amoy6228/CVE-2024-36401_Geoserver_RCE_POC

本脚本是针对 GeoServer 的远程代码执行漏洞(CVE-2024-36401)开发的 PoC(Proof of Concept)探测工具。该漏洞允许攻击者通过构造特定请求,在目标服务器上执行任意命令。

Python

Updated: 5 months, 1 week ago
1 stars 0 fork 0 watcher
Born at : April 30, 2025, 7:45 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-36401 vulnerability anywhere in the article.

  • The Hacker News
Threatsday Bulletin: Rootkit Patch, Federal Breach, OnePlus SMS Leak, TikTok Scandal & More

Welcome to this week's Threatsday Bulletin—your Thursday check-in on the latest twists and turns in cybersecurity and hacking.The digital threat landscape never stands still. One week it's a critical ... Read more

Published Date: Sep 25, 2025 (3 weeks ago)
  • TheCyberThrone
US Federal Agency Breached Via GeoServer Vulnerability

September 25, 2025IntroductionIn September 2025, CISA confirmed that a major breach had impacted a US federal agency through the exploitation of a critical GeoServer bug (CVE-2024-36401). This inciden ... Read more

Published Date: Sep 25, 2025 (3 weeks ago)
  • AttackIQ
Response to CISA Advisory (AA25-266A): CISA Shares Lessons Learned from an Incident Response Engagement

Introduction On September 23, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA). The advisory highlights lessons learned from an incident respon ... Read more

Published Date: Sep 24, 2025 (3 weeks, 1 day ago)
  • The Cyber Express
CISA Says Failure to Patch, Untested IRP, Silent EDR Alerts, Led to a Federal Agency Breach

CISA this week offered a rare window into a real-world breach at a U.S. federal civilian agency. Delays in patching, unexercised incident response plans, and inadequate monitoring of EDR alerts were t ... Read more

Published Date: Sep 24, 2025 (3 weeks, 1 day ago)
  • security.nl
Amerikaanse overheidsinstantie gehackt na niet installeren GeoServer-update

Een federale Amerikaanse overheidsinstantie is vorig jaar gehackt omdat het had nagelaten een beveiligingsupdate voor een kritieke kwetsbaarheid in GeoServer te installeren. De patch was drie weken ee ... Read more

Published Date: Sep 24, 2025 (3 weeks, 1 day ago)
  • CybersecurityNews
CISA Details That Hackers Gained Access to a U.S. Federal Agency Network Via GeoServer RCE Vulnerability

CISA has released a comprehensive cybersecurity advisory detailing how threat actors successfully compromised a U.S. federal civilian executive branch agency’s network by exploiting CVE-2024-36401, a ... Read more

Published Date: Sep 24, 2025 (3 weeks, 1 day ago)
  • BleepingComputer
CISA says hackers breached federal agency using GeoServer exploit

CISA has revealed that attackers breached the network of an unnamed U.S. federal civilian executive branch (FCEB) agency last year after compromising an unpatched GeoServer instance. The security bug ... Read more

Published Date: Sep 23, 2025 (3 weeks, 2 days ago)
  • Daily CyberSecurity
MystRodX: A Stealthy New Backdoor Found Hiding in Networks for Over 20 Months

XLab has identified a previously unknown and stealthy backdoor dubbed MystRodX, capable of operating undetected in compromised environments for extended periods. Initially mistaken for the well-known ... Read more

Published Date: Aug 30, 2025 (1 month, 2 weeks ago)
  • The Hacker News
GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the co ... Read more

Published Date: Aug 23, 2025 (1 month, 3 weeks ago)
  • Daily CyberSecurity
CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE

The Directus project has disclosed a critical vulnerability tracked as CVE-2025-55746 (CVSS 9.3) that could allow unauthenticated attackers to upload or modify files on vulnerable servers. Directus, a ... Read more

Published Date: Aug 22, 2025 (1 month, 3 weeks ago)
  • Daily CyberSecurity
CVE-2024-36401 Exploited in Stealthy Bandwidth-Monetization Campaign

A new report from Palo Alto Networks’ Unit 42 has shed light on an unusual and stealthy monetization campaign that exploits CVE-2024-36401, a critical remote code execution (RCE) vulnerability in GeoS ... Read more

Published Date: Aug 22, 2025 (1 month, 3 weeks ago)
  • CybersecurityNews
Threat Actors Gaining Access to Victims’ Machines and Monetizing Access to Their Bandwidth

A stealthy campaign emerged in early March 2025 that capitalized on a critical remote code execution flaw in GeoServer (CVE-2024-36401) to compromise publicly exposed geospatial servers. Attackers exp ... Read more

Published Date: Aug 21, 2025 (1 month, 3 weeks ago)
  • The Hacker News
Hackers Exploit Apache HTTP Server Flaw to Deploy Linuxsys Cryptocurrency Miner

Jul 17, 2025Ravie LakshmananCryptocurrency / Vulnerability Cybersecurity researchers have discovered a new campaign that exploits a known security flaw impacting Apache HTTP Server to deliver a cryp ... Read more

Published Date: Jul 17, 2025 (2 months, 4 weeks ago)
  • The Hacker News
CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) cata ... Read more

Published Date: Jul 11, 2025 (3 months ago)
  • The Hacker News
CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) cata ... Read more

Published Date: Jul 11, 2025 (3 months ago)
  • CybersecurityNews
Hackers Exploiting GeoServer RCE Vulnerability to Deploy CoinMiner

A critical remote code execution vulnerability in GeoServer has become a prime target for cybercriminals deploying cryptocurrency mining malware across global networks. The vulnerability, designated C ... Read more

Published Date: Jul 10, 2025 (3 months ago)
  • The Cyber Express
Ukraine Reports 48% Jump in Cyber Incidents in H2 2024, but 77% Drop in High-Severity Incidents

In Ukraine, cyber warfare is no longer just code and servers. It’s frontline infrastructure, psychological warfare, and kinetic attacks rolled into one. According to the Computer Emergency Response Te ... Read more

Published Date: Apr 30, 2025 (5 months, 2 weeks ago)
  • The Cyber Express
December 2024 Cyble Report: Malware, Phishing, and IoT Vulnerabilities on the Rise

The latest Sensor Intelligence Report from Cyble, dated December 4–10, 2024, sheds light on a troubling increase in cyber threats, including malware intrusions, phishing scams, and attacks targeting v ... Read more

Published Date: Dec 16, 2024 (10 months ago)
  • The Hacker News
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

IoT Security / Vulnerability The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying th ... Read more

Published Date: Nov 08, 2024 (11 months, 1 week ago)
  • Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities

CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of vulnerabilities in web applications and IoT devices. Learn about the specific vulnerabilit ... Read more

Published Date: Nov 07, 2024 (11 months, 1 week ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2024-36401 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Aug. 25, 2025

    Action Type Old Value New Value
    Changed CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6 OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.1 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.1 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:* *cpe:2.3:a:geotools:geotools:30.0:rc:*:*:*:*:*:* *cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:* *cpe:2.3:a:geotools:geotools:31.0:rc:*:*:*:*:*:*
  • Modified Analysis by [email protected]

    Apr. 03, 2025

    Action Type Old Value New Value
    Changed CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.23.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6
  • CVE Modified by [email protected]

    Mar. 19, 2025

    Action Type Old Value New Value
    Changed Description GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
  • Modified Analysis by [email protected]

    Nov. 29, 2024

    Action Type Old Value New Value
    Changed Reference Type https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 No Types Assigned https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 Exploit, Third Party Advisory
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
    Added Reference https://github.com/geotools/geotools/pull/4797
    Added Reference https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
    Added Reference https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
    Added Reference https://osgeo-org.atlassian.net/browse/GEOT-7587
    Added Reference https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jul. 16, 2024

    Action Type Old Value New Value
    Added Vulnerability Name OSGeo GeoServer GeoTools Eval Injection Vulnerability
    Added Due Date 2024-08-05
    Added Date Added 2024-07-15
    Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
  • Initial Analysis by [email protected]

    Jul. 03, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv No Types Assigned https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Mitigation, Vendor Advisory
    Changed Reference Type https://github.com/geotools/geotools/pull/4797 No Types Assigned https://github.com/geotools/geotools/pull/4797 Issue Tracking, Patch
    Changed Reference Type https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w No Types Assigned https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Exploit, Vendor Advisory
    Changed Reference Type https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 No Types Assigned https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Exploit, Third Party Advisory
    Changed Reference Type https://osgeo-org.atlassian.net/browse/GEOT-7587 No Types Assigned https://osgeo-org.atlassian.net/browse/GEOT-7587 Vendor Advisory
    Added CWE NIST CWE-94
    Added CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.23.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2
  • CVE Received by [email protected]

    Jul. 01, 2024

    Action Type Old Value New Value
    Added Description GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
    Added Reference GitHub, Inc. https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv [No types assigned]
    Added Reference GitHub, Inc. https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w [No types assigned]
    Added Reference GitHub, Inc. https://github.com/geotools/geotools/pull/4797 [No types assigned]
    Added Reference GitHub, Inc. https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 [No types assigned]
    Added Reference GitHub, Inc. https://osgeo-org.atlassian.net/browse/GEOT-7587 [No types assigned]
    Added CWE GitHub, Inc. CWE-95
    Added CVSS V3.1 GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact