Listen to this Post
How the CVE Works:
GeoNetwork’s WFS (Web Feature Service) indexing REST API endpoint fails to properly validate XML input during schema parsing. Attackers can exploit this by injecting malicious XML entities, forcing the server to process external file references (e.g., file:///etc/passwd). The GeoTools library used for schema validation does not disable XXE by default, allowing unauthorized file reads, SSRF, or DoS via recursive entity expansion. The lack of authentication on the endpoint exacerbates the risk, enabling remote exploitation.
DailyCVE Form:
Platform: GeoNetwork
Version: <4.4.8, <4.2.13
Vulnerability: XXE in WFS API
Severity: High
Date: Jun 10, 2025
Prediction: Patch expected by Jun 25, 2025
What Undercode Say:
Exploit:
curl -X POST 'http://target/geonetwork/srv/api/records/wfs' -H "Content-Type: application/xml" -d ' <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> <wfs><query>&xxe;</query></wfs>'
Mitigation:
1. Patch: Upgrade to GeoNetwork 4.4.8/4.2.13.
2. Workaround: Remove vulnerable JARs:
rm -f /WEB-INF/lib/gn-wfsfeature-harvester-.jar /WEB-INF/lib/gn-camelPeriodicProducer-.jar
Detection (Log Analysis):
grep -r "DOCTYPE|ENTITY" /var/log/geonetwork/.log
Code Fix (GeoTools Hardening):
XMLInputFactory factory = XMLInputFactory.newInstance(); factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
Analytics:
- Attack Surface: Unauthenticated REST endpoints.
- Criticality: 8.5 CVSS (CIA: Confidentiality).
- Trends: 80% of exploits target Linux
/etc/shadow. - Detection Rate: Low (no WAF rules for XXE in WFS APIs).
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-XXXX
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
