CVE-2024-36401
OSGeo GeoServer GeoTools Eval Injection Vulnerability - [Actively Exploited]
Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
INFO
Published Date :
July 1, 2024, 4:15 p.m.
Last Modified :
Aug. 25, 2025, 2:17 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, https://github.com/geotools/geotools/pull/4797 ; https://nvd.nist.gov/vuln/detail/CVE-2024-36401
Affected Products
The following products are affected by CVE-2024-36401
vulnerability.
Even if cvefeed.io
is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
---|---|---|---|---|---|---|
CVSS 3.1 | CRITICAL | [email protected] | ||||
CVSS 3.1 | CRITICAL | [email protected] |
Solution
- See vendor advisory.
Public PoC/Exploit Available at Github
CVE-2024-36401 has a 78 public
PoC/Exploit
available at Github.
Go to the Public Exploits
tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-36401
.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-36401
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-36401
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Makefile Python Dockerfile PHP Hack CSS HTML Ruby Groovy Java
护网2024-POC收录备份
None
Go
Python exploit for GeoServer (CVE-2024-36401) with JSP web shell upload
None
Makefile Python Dockerfile Shell C PHP Hack CSS HTML Ruby
备份的漏洞库,3月开始我们来维护
None
CVE POC repo 자동 수집기
Python
安全项目集合
None
dddd 二开长期维护版
geoserver图形化漏洞利用工具
Go
None
HTML
A poc for cve-2024-36401 for applications using GeoTools for WMS data retrieval
本脚本是针对 GeoServer 的远程代码执行漏洞(CVE-2024-36401)开发的 PoC(Proof of Concept)探测工具。该漏洞允许攻击者通过构造特定请求,在目标服务器上执行任意命令。
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-36401
vulnerability anywhere in the article.

-
The Hacker News
GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets
Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the co ... Read more

-
Daily CyberSecurity
CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE
The Directus project has disclosed a critical vulnerability tracked as CVE-2025-55746 (CVSS 9.3) that could allow unauthenticated attackers to upload or modify files on vulnerable servers. Directus, a ... Read more

-
Daily CyberSecurity
CVE-2024-36401 Exploited in Stealthy Bandwidth-Monetization Campaign
A new report from Palo Alto Networks’ Unit 42 has shed light on an unusual and stealthy monetization campaign that exploits CVE-2024-36401, a critical remote code execution (RCE) vulnerability in GeoS ... Read more

-
CybersecurityNews
Threat Actors Gaining Access to Victims’ Machines and Monetizing Access to Their Bandwidth
A stealthy campaign emerged in early March 2025 that capitalized on a critical remote code execution flaw in GeoServer (CVE-2024-36401) to compromise publicly exposed geospatial servers. Attackers exp ... Read more

-
The Hacker News
Hackers Exploit Apache HTTP Server Flaw to Deploy Linuxsys Cryptocurrency Miner
Jul 17, 2025Ravie LakshmananCryptocurrency / Vulnerability Cybersecurity researchers have discovered a new campaign that exploits a known security flaw impacting Apache HTTP Server to deliver a cryp ... Read more

-
The Hacker News
CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) cata ... Read more

-
The Hacker News
CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) cata ... Read more

-
CybersecurityNews
Hackers Exploiting GeoServer RCE Vulnerability to Deploy CoinMiner
A critical remote code execution vulnerability in GeoServer has become a prime target for cybercriminals deploying cryptocurrency mining malware across global networks. The vulnerability, designated C ... Read more

-
The Cyber Express
Ukraine Reports 48% Jump in Cyber Incidents in H2 2024, but 77% Drop in High-Severity Incidents
In Ukraine, cyber warfare is no longer just code and servers. It’s frontline infrastructure, psychological warfare, and kinetic attacks rolled into one. According to the Computer Emergency Response Te ... Read more

-
The Cyber Express
December 2024 Cyble Report: Malware, Phishing, and IoT Vulnerabilities on the Rise
The latest Sensor Intelligence Report from Cyble, dated December 4–10, 2024, sheds light on a troubling increase in cyber threats, including malware intrusions, phishing scams, and attacks targeting v ... Read more

-
The Hacker News
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services
IoT Security / Vulnerability The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying th ... Read more

-
Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities
CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of vulnerabilities in web applications and IoT devices. Learn about the specific vulnerabilit ... Read more

-
The Cyber Express
Cyble Sensors Uncover Cyberattacks on Java Framework and IoT Devices
Cyble vulnerability intelligence unit has shared a report, detailing the recent cyberattacks on the Spring Java framework and hundreds of thousands of Internet of Things (IoT) devices. The report shed ... Read more

-
The Cyber Express
Progress Telerik, Cisco, QNAP and Linux Under Attack: Cyble Honeypot Sensors
Cyble’s Vulnerability Intelligence unit has detected cyberattacks on several key IT products and systems, as threat actors have been quick to exploit vulnerabilities and enterprises slow to patch them ... Read more

-
europa.eu
Cyber Brief 24-10 - September 2024
Cyber Brief (September 2024)October 1, 2024 - Version: 1.0TLP:CLEARExecutive summaryWe analysed 269 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, in Europe, l ... Read more

-
Cybersecurity News
Critical XSS Flaw Discovered in Filament: CVE-2024-47186 Requires Urgent Update for Laravel Developers
The Filament project, a popular collection of full-stack components for accelerated Laravel development, has issued a critical security advisory for CVE-2024-47186. This Cross-Site Scripting (XSS) vul ... Read more

-
Cybersecurity News
Critical CUPS Vulnerabilities Expose Linux and Other Systems to Remote Attacks
In a significant development for cybersecurity, multiple critical vulnerabilities have been discovered in CUPS (Common Unix Printing System), a widely used print server on Linux systems and other plat ... Read more

-
Cybersecurity News
CVE-2024-9014 (CVSS 9.9): pgAdmin’s Critical Vulnerability Puts User Data at Risk
pgAdmin, the leading open-source management tool for PostgreSQL databases, has released an urgent security update to address a critical vulnerability affecting versions 8.11 and earlier. This flaw, id ... Read more

-
Cybersecurity News
CISA Warns of Actively Exploited Ivanti vTM Flaw CVE-2024-7593 (CVSS 9.8), PoC Published
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding an actively exploited security vulnerability impacting Ivanti Virtual Traffic Manager (vTM), a ... Read more

-
Cybersecurity News
CVE-2024-9043 (CVSS 9.8): Cellopoint Secure Email Gateway Flaw Puts Sensitive Data at Risk
A recently disclosed vulnerability (CVE-2024-9043) in Cellopoint’s Secure Email Gateway (SEG) could expose enterprise email systems to critical security risks, making it an urgent matter for administr ... Read more
The following table lists the changes that have been made to the
CVE-2024-36401
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Aug. 25, 2025
Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6 OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.1 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.1 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:* *cpe:2.3:a:geotools:geotools:30.0:rc:*:*:*:*:*:* *cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:* *cpe:2.3:a:geotools:geotools:31.0:rc:*:*:*:*:*:* -
Modified Analysis by [email protected]
Apr. 03, 2025
Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.23.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6 -
CVE Modified by [email protected]
Mar. 19, 2025
Action Type Old Value New Value Changed Description GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. -
Modified Analysis by [email protected]
Nov. 29, 2024
Action Type Old Value New Value Changed Reference Type https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 No Types Assigned https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 Exploit, Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Added Reference https://github.com/geotools/geotools/pull/4797 Added Reference https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Added Reference https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Added Reference https://osgeo-org.atlassian.net/browse/GEOT-7587 Added Reference https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 16, 2024
Action Type Old Value New Value Added Vulnerability Name OSGeo GeoServer GeoTools Eval Injection Vulnerability Added Due Date 2024-08-05 Added Date Added 2024-07-15 Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. -
Initial Analysis by [email protected]
Jul. 03, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv No Types Assigned https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Mitigation, Vendor Advisory Changed Reference Type https://github.com/geotools/geotools/pull/4797 No Types Assigned https://github.com/geotools/geotools/pull/4797 Issue Tracking, Patch Changed Reference Type https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w No Types Assigned https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Exploit, Vendor Advisory Changed Reference Type https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 No Types Assigned https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Exploit, Third Party Advisory Changed Reference Type https://osgeo-org.atlassian.net/browse/GEOT-7587 No Types Assigned https://osgeo-org.atlassian.net/browse/GEOT-7587 Vendor Advisory Added CWE NIST CWE-94 Added CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.23.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2 -
CVE Received by [email protected]
Jul. 01, 2024
Action Type Old Value New Value Added Description GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. Added Reference GitHub, Inc. https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv [No types assigned] Added Reference GitHub, Inc. https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w [No types assigned] Added Reference GitHub, Inc. https://github.com/geotools/geotools/pull/4797 [No types assigned] Added Reference GitHub, Inc. https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 [No types assigned] Added Reference GitHub, Inc. https://osgeo-org.atlassian.net/browse/GEOT-7587 [No types assigned] Added CWE GitHub, Inc. CWE-95 Added CVSS V3.1 GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H