CVE-2025-58360 OSGeo CVE debrief

Who should care

OSGeo GeoServer operators, application owners, platform teams, and security teams responsible for exposed or business-critical GeoServer deployments should prioritize this advisory. Cloud service operators using GeoServer-based services should also review applicable CISA guidance.

Technical summary

The supplied record identifies CVE-2025-58360 as an improper restriction of XML External Entity reference vulnerability in OSGeo GeoServer. The source corpus does not provide version ranges, attack preconditions, or a CVSS score. The key defensive signal in the supplied material is that CISA lists the issue as known exploited, which makes mitigation urgency higher than a routine disclosure.

Defensive priority

High. CISA KEV inclusion indicates confirmed exploitation risk and a required remediation timeline. The supplied due date is 2026-01-01, so affected environments should be reviewed and mitigated without delay.

Recommended defensive actions

• Apply vendor-provided mitigations for GeoServer as referenced in the linked vendor advisory and issue tracker.
• If mitigations are unavailable or cannot be applied in time, discontinue use of the affected product or service path per CISA guidance.
• For cloud services, follow applicable CISA BOD 22-01 guidance.
• Inventory GeoServer deployments and confirm whether any exposed or business-critical instances are affected.
• Track remediation status against the CISA KEV due date of 2026-01-01.

Evidence notes

This debrief is based only on the supplied CISA KEV entry and the official resource links listed in the corpus. The corpus identifies the vulnerability as an OSGeo GeoServer XXE issue and confirms KEV status with dateAdded 2025-12-11 and dueDate 2026-01-01. No CVSS score, affected version range, exploit details, or ransomware-campaign attribution beyond 'Unknown' were provided in the source corpus.

Official resources