Share
## https://sploitus.com/exploit?id=EFE8D5A5-DDF1-5B89-BE33-B6CCAF3B4E93
- During my geoserver analysis I found another way to attack unauthenticated XML External Entities (XXE) via WMS GetMap operation. We can call this vulnerability via /geoserver/{workspaces}/ows, by using OWS call to WMS service instead of calling WMS service directly via /geoserver/wms as shown below

- curl -X POST "http://IP:PORT/geoserver/topp/ows?service=WMS&version=2.0.0&request=getmap&maxFeatures=1&outputFormat=application%2Fjson" -H "Content-Type: application/xml" --data-binary @payload.xml -o output.png

- The vulnerability is CVE-2025-58360, but it provides an attack bypass for the attacker. Bypass WAF systems, intercept users using geoserver (Because users may not be able to update the version and only use WAF to intercept malicious requests)

![alt text](poc.png)