CVE-2025-30220

Name: CVE-2025-30220
Creator: NVD / NIST
Published: 2025-06-10T16:15:37.387+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.1/10EPSS 49.16%

Last modified Jun 17, 2026

CVE-2025-30220 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. EPSS estimates a 49.16% chance of exploitation in the next 30 days.

Description

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

Metrics

CVSS 3.1

9.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Probability

49.16%

98.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Geotools	Geotools	< 28.6.1
Geotools	Geotools	>= 29.0, < 31.7
Geotools	Geotools	>= 32.0, < 32.3
Geotools	Geotools	33.0
Osgeo	Geonetwork	>= 4.2.0, < 4.2.13
Osgeo	Geonetwork	>= 4.4.0, < 4.4.8
Osgeo	Geoserver	< 2.25.7
Osgeo	Geoserver	>= 2.26.0, < 2.26.3
Osgeo	Geoserver	2.27.0

References

https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entitiesProduct
https://github.com/geonetwork/core-geonetwork/pull/8757Patch
https://github.com/geonetwork/core-geonetwork/pull/8803Patch
https://github.com/geonetwork/core-geonetwork/pull/8812Patch
https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvcPatch, Third Party Advisory
https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pcExploit, Patch, Third Party Advisory
https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vwThird Party Advisory

Timeline

Published: Jun 10, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-30220?

How severe is CVE-2025-30220?

CVE-2025-30220 has a CVSS score of 9.1/10 (CRITICAL severity). The EPSS model estimates a 49.16% probability of exploitation in the next 30 days.

How do I fix CVE-2025-30220?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-30220?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST