CVE-2024-36401
Detail
Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Metrics
β
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
CVSS 4.0 Severity and Vector Strings:
NVD assessment
not yet provided.
CVSS 3.x Severity and Vector Strings:
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0 Severity and Vector Strings:
Base
Score:
NVD assessment
not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected].
| URL |
Source(s) |
Tag(s) |
|
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
|
CVE, GitHub, Inc. |
Exploit
Third Party Advisory
|
|
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
|
CVE, GitHub, Inc. |
Mitigation
Vendor Advisory
|
|
https://github.com/geotools/geotools/pull/4797
|
CVE, GitHub, Inc. |
Issue Tracking
Patch
|
|
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
|
CVE, GitHub, Inc. |
Exploit
Vendor Advisory
|
|
https://osgeo-org.atlassian.net/browse/GEOT-7587
|
CVE, GitHub, Inc. |
Vendor Advisory
|
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401
|
CISA-ADP |
US Government Resource
|
|
https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401
|
CVE |
Exploit
Third Party Advisory
|
This CVE is in CISA's Known Exploited Vulnerabilities Catalog
Reference
CISA's BOD 22-01 and Known
Exploited Vulnerabilities Catalog for further guidance and requirements.
| Vulnerability Name |
Date Added |
Due Date |
Required Action |
| OSGeo GeoServer GeoTools Eval Injection Vulnerability |
07/15/2024 |
08/05/2024 |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
Weakness Enumeration
| CWE-ID |
CWE Name |
Source |
|
CWE-94
|
Improper Control of Generation of Code ('Code Injection') |
π cwe source acceptance level
NISTββ
|
|
CWE-95
|
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
GitHub, Inc.ββ
|
Change History
14 change records found show changes
CVE Modified by CISA-ADP
6/17/2026 3:36:38 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Affected |
[{"vendor":"geoserver","product":"geoserver","defaultStatus":"affected","cpes":["cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","lessThan":"2.23.6","versionType":"custom","status":"affected"}]},{"vendor":"geoserver","product":"geoserver","defaultStatus":"affected","cpes":["cpe:2.3:a:geoserver:geoserver:2.24.0:-:*:*:*:*:*:*"],"versions":[{"version":"2.24.0","lessThan":"2.24.4","versionType":"custom","status":"affected"}]},{"vendor":"geoserver","product":"geoserver","defaultStatus":"affected","cpes":["cpe:2.3:a:geoserver:geoserver:2.25.0:-:*:*:*:*:*:*"],"versions":[{"version":"2.25.0","lessThan":"2.25.2","versionType":"custom","status":"affected"}]}]
|
| Added |
SSVC |
{"timestamp":"2024-07-13T03:55:17.574252Z","id":"CVE-2024-36401","options":[{"exploitation":"active"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}
|
CVE Modified by GitHub, Inc.
6/17/2026 3:36:38 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Affected |
[{"vendor":"geoserver","product":"geoserver","versions":[{"version":">= 2.23.0, < 2.23.6","status":"affected"},{"version":">= 2.24.0, < 2.24.4","status":"affected"},{"version":">= 2.25.0, < 2.25.2","status":"affected"},{"version":"< 2.22.6","status":"affected"}]}]
|
Modified Analysis by NIST
10/24/2025 10:00:22 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference Type |
CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401 Types: US Government Resource
|
CVE Modified by CISA-ADP
10/21/2025 7:16:29 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401
|
CVE Modified by CISA-ADP
10/21/2025 4:20:04 PM
| Action |
Type |
Old Value |
New Value |
| Removed |
Reference |
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401
|
CVE Modified by CISA-ADP
10/21/2025 3:20:46 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401
|
Modified Analysis by NIST
8/24/2025 10:17:03 PM
| Action |
Type |
Old Value |
New Value |
| Changed |
CPE Configuration |
OR
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6
|
OR
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.1 up to (excluding) 30.4
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.1 up to (excluding) 31.2
*cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:*
*cpe:2.3:a:geotools:geotools:30.0:rc:*:*:*:*:*:*
*cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:*
*cpe:2.3:a:geotools:geotools:31.0:rc:*:*:*:*:*:*
|
Modified Analysis by NIST
4/03/2025 3:57:04 PM
| Action |
Type |
Old Value |
New Value |
| Changed |
CPE Configuration |
OR
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.23.6
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6
|
OR
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.22.6
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.23.0 up to (excluding) 2.23.6
|
CVE Modified by GitHub, Inc.
3/19/2025 11:15:47 AM
| Action |
Type |
Old Value |
New Value |
| Changed |
Description |
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
|
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
|
Modified Analysis by NIST
11/29/2024 10:32:24 AM
| Action |
Type |
Old Value |
New Value |
| Changed |
Reference Type |
https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 No Types Assigned
|
https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 Exploit, Third Party Advisory
|
CVE Modified by CVE
11/21/2024 4:22:06 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
|
| Added |
Reference |
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
|
| Added |
Reference |
https://github.com/geotools/geotools/pull/4797
|
| Added |
Reference |
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
|
| Added |
Reference |
https://osgeo-org.atlassian.net/browse/GEOT-7587
|
| Added |
Reference |
https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401
|
CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
7/15/2024 9:00:01 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Date Added |
2024-07-15
|
| Added |
Due Date |
2024-08-05
|
| Added |
Required Action |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
|
| Added |
Vulnerability Name |
OSGeo GeoServer GeoTools Eval Injection Vulnerability
|
Initial Analysis by NIST
7/03/2024 11:07:42 AM
| Action |
Type |
Old Value |
New Value |
| Added |
CVSS V3.1 |
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| Added |
CWE |
NIST CWE-94
|
| Added |
CPE Configuration |
OR
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.23.6
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4
*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4
*cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2
|
| Changed |
Reference Type |
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 No Types Assigned
|
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Exploit, Third Party Advisory
|
| Changed |
Reference Type |
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv No Types Assigned
|
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Mitigation, Vendor Advisory
|
| Changed |
Reference Type |
https://github.com/geotools/geotools/pull/4797 No Types Assigned
|
https://github.com/geotools/geotools/pull/4797 Issue Tracking, Patch
|
| Changed |
Reference Type |
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w No Types Assigned
|
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Exploit, Vendor Advisory
|
| Changed |
Reference Type |
https://osgeo-org.atlassian.net/browse/GEOT-7587 No Types Assigned
|
https://osgeo-org.atlassian.net/browse/GEOT-7587 Vendor Advisory
|
New CVE Received from GitHub, Inc.
7/01/2024 12:15:04 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Description |
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
|
| Added |
CVSS V3.1 |
GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| Added |
CWE |
GitHub, Inc. CWE-95
|
| Added |
Reference |
GitHub, Inc. https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 [No types assigned]
|
| Added |
Reference |
GitHub, Inc. https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv [No types assigned]
|
| Added |
Reference |
GitHub, Inc. https://github.com/geotools/geotools/pull/4797 [No types assigned]
|
| Added |
Reference |
GitHub, Inc. https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w [No types assigned]
|
| Added |
Reference |
GitHub, Inc. https://osgeo-org.atlassian.net/browse/GEOT-7587 [No types assigned]
|
Quick Info
CVE Dictionary Entry: CVE-2024-36401 NVD
Published Date: 07/01/2024 NVD
Last Modified: 06/17/2026
Source: GitHub, Inc.
|
