module

GeoServer WMS GetMap XXE Arbitrary File Read

Try Surface Command
Back to search
Disclosed
Nov 25, 2025
Created
Dec 30, 2025

Description

This module exploits an XML External Entity (XXE) vulnerability in GeoServer
via the WMS GetMap operation. The vulnerability allows reading arbitrary files
from the server's file system by injecting an XXE entity in the SLD (Styled Layer Descriptor).

Affected versions:
- GeoServer >= 2.26.0,
- GeoServer

The file content is returned in the error message when the layer name contains
the XXE entity reference.

Authors

xbow-security
Valentin Lobstein [email protected]
Julien Voisin

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use auxiliary/gather/geoserver_wms_getmap_xxe_file_read
    msf auxiliary(geoserver_wms_getmap_xxe_file_read) > show actions
        ...actions...
    msf auxiliary(geoserver_wms_getmap_xxe_file_read) > set ACTION < action-name >
    msf auxiliary(geoserver_wms_getmap_xxe_file_read) > show options
        ...show and set options...
    msf auxiliary(geoserver_wms_getmap_xxe_file_read) > run
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report