CVE-2025-30220

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.27.1 GeoServer versions prior to 2.26.3 GeoServer versions prior to 2.25.7 GeoTools versions prior to 33.1 GeoTools versions prior to 32.3 GeoTools versions prior to 31.7 GeoTools versions prior to 28.6.1 GeoNetwork versions prior to 4.4.8 GeoNetwork versions prior to 4.2.13

Description The issue is related to the use of the Eclipse XSD library in the GeoTools Schema class, which is vulnerable to XML External Entity (XXE) exploit. This affects users who expose XML processing with gt-xsd-core involved in parsing when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler. This also impacts users of gt-wfs-ng DataStore where the ENTITY RESOLVER connection parameter was not being used as intended.

Recommendations For GeoServer versions prior to 2.27.1, update to version 2.27.1 or later. For GeoServer versions prior to 2.26.3, update to version 2.26.3 or later. For GeoServer versions prior to 2.25.7, update to version 2.25.7 or later. For GeoTools versions prior to 33.1, update to version 33.1 or later. For GeoTools versions prior to 32.3, update to version 32.3 or later. For GeoTools versions prior to 31.7, update to version 31.7 or later. For GeoTools versions prior to 28.6.1, update to version 28.6.1 or later. For GeoNetwork versions prior to 4.4.8, update to version 4.4.8 or later. For GeoNetwork versions prior to 4.2.13, update to version 4.2.13 or later.