CVE-2025-21621

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.25.0

Description A reflected cross-site scripting (XSS) issue exists in the WMS GetFeatureInfo HTML output format. This allows a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD BODY parameters. The WMS service setting that controls HTML auto-escaping is either disabled by default or completely missing in affected versions. If an attacker can control a script executed in the victim’s browser, they can perform actions, view information, modify data, and initiate interactions with other application users.

Recommendations Versions prior to 2.25.0 should be updated to version 2.25.0 or later. Enable GetFeatureInfo HTML auto-escaping (available in GeoServer 2.21.3 and 2.22.1). Disable dynamic styling. Disable GetFeatureInfo text/html MIME type.