CVE-2024-36401
OSGeo GeoServer GeoTools Eval Injection Vulnerability - [Actively Exploited]
Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
INFO
Published Date :
July 1, 2024, 4:15 p.m.
Last Modified :
Aug. 25, 2025, 2:17 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, https://github.com/geotools/geotools/pull/4797 ; https://nvd.nist.gov/vuln/detail/CVE-2024-36401
Affected Products
The following products are affected by CVE-2024-36401
vulnerability.
Even if cvefeed.io
is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
---|---|---|---|---|---|---|
CVSS 3.1 | CRITICAL | [email protected] | ||||
CVSS 3.1 | CRITICAL | [email protected] |
Solution
- See vendor advisory.
Public PoC/Exploit Available at Github
CVE-2024-36401 has a 77 public
PoC/Exploit
available at Github.
Go to the Public Exploits
tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-36401
.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-36401
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-36401
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
An Python Exp For "GeoServer"
Python
None
Makefile Python Dockerfile PHP Hack CSS HTML Ruby Groovy Java
护网2024-POC收录备份
Python exploit for GeoServer (CVE-2024-36401) with JSP web shell upload
None
Makefile Python Dockerfile Shell C PHP Hack CSS HTML Ruby
备份的漏洞库,3月开始我们来维护
None
CVE POC repo 자동 수집기
Python
安全项目集合
None
dddd 二开长期维护版
geoserver图形化漏洞利用工具
Go
None
HTML
A poc for cve-2024-36401 for applications using GeoTools for WMS data retrieval
本脚本是针对 GeoServer 的远程代码执行漏洞(CVE-2024-36401)开发的 PoC(Proof of Concept)探测工具。该漏洞允许攻击者通过构造特定请求,在目标服务器上执行任意命令。
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-36401
vulnerability anywhere in the article.

-
The Hacker News
Threatsday Bulletin: Rootkit Patch, Federal Breach, OnePlus SMS Leak, TikTok Scandal & More
Welcome to this week's Threatsday Bulletin—your Thursday check-in on the latest twists and turns in cybersecurity and hacking.The digital threat landscape never stands still. One week it's a critical ... Read more

-
TheCyberThrone
US Federal Agency Breached Via GeoServer Vulnerability
September 25, 2025IntroductionIn September 2025, CISA confirmed that a major breach had impacted a US federal agency through the exploitation of a critical GeoServer bug (CVE-2024-36401). This inciden ... Read more

-
AttackIQ
Response to CISA Advisory (AA25-266A): CISA Shares Lessons Learned from an Incident Response Engagement
Introduction On September 23, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA). The advisory highlights lessons learned from an incident respon ... Read more

-
The Cyber Express
CISA Says Failure to Patch, Untested IRP, Silent EDR Alerts, Led to a Federal Agency Breach
CISA this week offered a rare window into a real-world breach at a U.S. federal civilian agency. Delays in patching, unexercised incident response plans, and inadequate monitoring of EDR alerts were t ... Read more

-
security.nl
Amerikaanse overheidsinstantie gehackt na niet installeren GeoServer-update
Een federale Amerikaanse overheidsinstantie is vorig jaar gehackt omdat het had nagelaten een beveiligingsupdate voor een kritieke kwetsbaarheid in GeoServer te installeren. De patch was drie weken ee ... Read more

-
CybersecurityNews
CISA Details That Hackers Gained Access to a U.S. Federal Agency Network Via GeoServer RCE Vulnerability
CISA has released a comprehensive cybersecurity advisory detailing how threat actors successfully compromised a U.S. federal civilian executive branch agency’s network by exploiting CVE-2024-36401, a ... Read more

-
BleepingComputer
CISA says hackers breached federal agency using GeoServer exploit
CISA has revealed that attackers breached the network of an unnamed U.S. federal civilian executive branch (FCEB) agency last year after compromising an unpatched GeoServer instance. The security bug ... Read more

-
Daily CyberSecurity
MystRodX: A Stealthy New Backdoor Found Hiding in Networks for Over 20 Months
XLab has identified a previously unknown and stealthy backdoor dubbed MystRodX, capable of operating undetected in compromised environments for extended periods. Initially mistaken for the well-known ... Read more

-
The Hacker News
GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets
Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the co ... Read more

-
Daily CyberSecurity
CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE
The Directus project has disclosed a critical vulnerability tracked as CVE-2025-55746 (CVSS 9.3) that could allow unauthenticated attackers to upload or modify files on vulnerable servers. Directus, a ... Read more

-
Daily CyberSecurity
CVE-2024-36401 Exploited in Stealthy Bandwidth-Monetization Campaign
A new report from Palo Alto Networks’ Unit 42 has shed light on an unusual and stealthy monetization campaign that exploits CVE-2024-36401, a critical remote code execution (RCE) vulnerability in GeoS ... Read more

-
CybersecurityNews
Threat Actors Gaining Access to Victims’ Machines and Monetizing Access to Their Bandwidth
A stealthy campaign emerged in early March 2025 that capitalized on a critical remote code execution flaw in GeoServer (CVE-2024-36401) to compromise publicly exposed geospatial servers. Attackers exp ... Read more

-
The Hacker News
Hackers Exploit Apache HTTP Server Flaw to Deploy Linuxsys Cryptocurrency Miner
Jul 17, 2025Ravie LakshmananCryptocurrency / Vulnerability Cybersecurity researchers have discovered a new campaign that exploits a known security flaw impacting Apache HTTP Server to deliver a cryp ... Read more

-
The Hacker News
CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) cata ... Read more

-
The Hacker News
CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) cata ... Read more

-
CybersecurityNews
Hackers Exploiting GeoServer RCE Vulnerability to Deploy CoinMiner
A critical remote code execution vulnerability in GeoServer has become a prime target for cybercriminals deploying cryptocurrency mining malware across global networks. The vulnerability, designated C ... Read more

-
The Cyber Express
Ukraine Reports 48% Jump in Cyber Incidents in H2 2024, but 77% Drop in High-Severity Incidents
In Ukraine, cyber warfare is no longer just code and servers. It’s frontline infrastructure, psychological warfare, and kinetic attacks rolled into one. According to the Computer Emergency Response Te ... Read more

-
The Cyber Express
December 2024 Cyble Report: Malware, Phishing, and IoT Vulnerabilities on the Rise
The latest Sensor Intelligence Report from Cyble, dated December 4–10, 2024, sheds light on a troubling increase in cyber threats, including malware intrusions, phishing scams, and attacks targeting v ... Read more

-
The Hacker News
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services
IoT Security / Vulnerability The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying th ... Read more

-
Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities
CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of vulnerabilities in web applications and IoT devices. Learn about the specific vulnerabilit ... Read more
The following table lists the changes that have been made to the
CVE-2024-36401
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Aug. 25, 2025
Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6 OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.1 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.1 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:* *cpe:2.3:a:geotools:geotools:30.0:rc:*:*:*:*:*:* *cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:* *cpe:2.3:a:geotools:geotools:31.0:rc:*:*:*:*:*:* -
Modified Analysis by [email protected]
Apr. 03, 2025
Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.23.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6 -
CVE Modified by [email protected]
Mar. 19, 2025
Action Type Old Value New Value Changed Description GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. -
Modified Analysis by [email protected]
Nov. 29, 2024
Action Type Old Value New Value Changed Reference Type https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 No Types Assigned https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 Exploit, Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Added Reference https://github.com/geotools/geotools/pull/4797 Added Reference https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Added Reference https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Added Reference https://osgeo-org.atlassian.net/browse/GEOT-7587 Added Reference https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 16, 2024
Action Type Old Value New Value Added Vulnerability Name OSGeo GeoServer GeoTools Eval Injection Vulnerability Added Due Date 2024-08-05 Added Date Added 2024-07-15 Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. -
Initial Analysis by [email protected]
Jul. 03, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv No Types Assigned https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Mitigation, Vendor Advisory Changed Reference Type https://github.com/geotools/geotools/pull/4797 No Types Assigned https://github.com/geotools/geotools/pull/4797 Issue Tracking, Patch Changed Reference Type https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w No Types Assigned https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Exploit, Vendor Advisory Changed Reference Type https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 No Types Assigned https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Exploit, Third Party Advisory Changed Reference Type https://osgeo-org.atlassian.net/browse/GEOT-7587 No Types Assigned https://osgeo-org.atlassian.net/browse/GEOT-7587 Vendor Advisory Added CWE NIST CWE-94 Added CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.23.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 -
CVE Received by [email protected]
Jul. 01, 2024
Action Type Old Value New Value Added Description GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. Added Reference GitHub, Inc. https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv [No types assigned] Added Reference GitHub, Inc. https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w [No types assigned] Added Reference GitHub, Inc. https://github.com/geotools/geotools/pull/4797 [No types assigned] Added Reference GitHub, Inc. https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 [No types assigned] Added Reference GitHub, Inc. https://osgeo-org.atlassian.net/browse/GEOT-7587 [No types assigned] Added CWE GitHub, Inc. CWE-95 Added CVSS V3.1 GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H