CVE-2025-30220

CVE-2025-30220 is a critical-severity vulnerability in Geotools with a CVSS 3.x base score of 9.9. Its EPSS exploit-prediction score of 51% places it in the 99th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-611.

Key facts

Description

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.

Frequently asked questions

What is CVE-2025-30220?
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
How severe is CVE-2025-30220?
CVE-2025-30220 has a CVSS 3.x base score of 9.9, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability low.
Is CVE-2025-30220 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 51% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-30220?
CVE-2025-30220 primarily affects Geotools. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2025-30220?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2025-30220 have an EU (EUVD) identifier?
Yes. CVE-2025-30220 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-17683.
When was CVE-2025-30220 published?
CVE-2025-30220 was published on 2025-06-10 and last updated on 2026-06-17.

References

Affected products (5)

More vulnerabilities in Geotools

All CVEs affecting Geotools →

Other CWE-611 (Improper Restriction of XML External Entity Reference (XXE)) vulnerabilities

Browse all CWE-611 (Improper Restriction of XML External Entity Reference (XXE)) vulnerabilities →