**Name of the Vulnerable Software and Affected Versions**

GeoServer versions prior to 2.22.6, 2.23.6, 2.24.4, and 2.25.2

**Description**

GeoServer is an open-source server that allows users to share and edit geospatial data. Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended for complex feature types but is incorrectly applied to simple feature types, affecting all GeoServer instances. This vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. Attackers are actively exploiting this vulnerability, with reports of compromised systems and the deployment of malware such as NetCat, XMRig, SideWalk, and GOREVERSE. Threat actors, including Earth Baxia, are leveraging this vulnerability to target government and energy sectors, using spear-phishing and customized malware. The vulnerability has been used to hijack resources, monetize bandwidth, and build botnets. A U.S. federal agency was breached due to this vulnerability.

**Recommendations**

Update GeoServer to version 2.22.6, 2.23.6, 2.24.4, or 2.25.2. As a workaround, remove the `gt-complex-x.y.jar` file from the GeoServer installation, where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1).