Summary
Remote Code Execution (RCE) vulnerability in geoserver
Full technical description
Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
Details
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to ALL GeoServer instances.
PoC
No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.
Workaround
A workaround exists by removing the gt-complex-x.y.jar file from the GeoServer where x.y is the GeoTools version (e.g., gt-complex-31.1.jar if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed by an extension you are using:
Mitigation for geoserver.war deploy:
- Stop the application server
- Unzip
geoserver.warinto a directory - Locate the file
WEB-INF/lib/gt-complex-x.y.jarand remove - Zip the directory into a new
geoserver.war - Restart the application server
Mitigation for GeoServer binary:
- Stop Jetty
- Locate the file
webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jarand remove - Restart Jetty
The following extensions and community modules are known to have a direct dependency on gt-complex jar and are not expected function properly without it. This is not comprehensive list and additional GeoServer functionality may be dependent on the availability of gt-complex jar:
- Extensions: Application Schema, Catalog Services for the Web, MongoDB Data Store
- Community Modules: Features-Templating, OGC API Modules, Smart Data Loader, SOLR Data Store
Mitigation available for prior releases patching three jars in your existing install:
Patched
gt-app-schema,gt-complexandgt-xsd-corejars may be downloaded for GeoServer: 2.25.1, 2.24.3, 2.24.2, 2.23.2, 2.22.2, 2.21.5, 2.21.4,2.20.7, 2.20.4, 2.19.2, 2.18.0.As example the 2.25.1 page links to geoserver-2.25.1-patches.zip download on source forge.
Unzip the
geoserver-x.y.z-patches.zipwhich contains three jars that have been patched to configurecommons-jxpathwith an empty function list prior to use. These files are drop-in replacements with identical file names to those they are replacing.Follow the instructions above to locate
WEB-INF/libfolder and replace the existinggt-app-schema,gt-complexandgt-xsd-corejars with those supplied by the patch.
References
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
https://osgeo-org.atlassian.net/browse/GEOT-7587
https://github.com/geotools/geotools/pull/4797
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
Impact
This vulnerability can lead to executing arbitrary code.
Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.
CVE-2024-36401 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.24.4, 2.25.2, 2.23.6, 2.22.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
org.geoserver.web:gs-web-app to 2.24.4 or later; org.geoserver:gs-wfs to 2.24.4 or later; org.geoserver:gs-wms to 2.24.4 or later; org.geoserver.web:gs-web-app to 2.25.2 or later; org.geoserver:gs-wfs to 2.25.2 or later; org.geoserver:gs-wms to 2.25.2 or later; org.geoserver.web:gs-web-app to 2.23.6 or later; org.geoserver:gs-wfs to 2.23.6 or later; org.geoserver:gs-wms to 2.23.6 or later; org.geoserver.web:gs-web-app to 2.22.6 or later; org.geoserver:gs-wfs to 2.22.6 or later; org.geoserver:gs-wms to 2.22.6 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-36401? CVE-2024-36401 is a critical-severity code injection vulnerability in org.geoserver.web:gs-web-app (maven), affecting versions >= 2.24.0, < 2.24.4. It is fixed in 2.24.4, 2.25.2, 2.23.6, 2.22.6. Untrusted input is evaluated as executable code within the application's runtime environment.
- How severe is CVE-2024-36401? CVE-2024-36401 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2024-36401?
org.geoserver.web:gs-web-app(maven) (versions >= 2.24.0, < 2.24.4)org.geoserver:gs-wfs(maven) (versions >= 2.24.0, < 2.24.4)org.geoserver:gs-wms(maven) (versions >= 2.24.0, < 2.24.4)
- Is there a fix for CVE-2024-36401? Yes. CVE-2024-36401 is fixed in 2.24.4, 2.25.2, 2.23.6, 2.22.6. Upgrade to this version or later.
- Is CVE-2024-36401 exploitable, and should I be worried? Whether CVE-2024-36401 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-36401 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-36401?
- Upgrade
org.geoserver.web:gs-web-appto 2.24.4 or later - Upgrade
org.geoserver:gs-wfsto 2.24.4 or later - Upgrade
org.geoserver:gs-wmsto 2.24.4 or later - Upgrade
org.geoserver.web:gs-web-appto 2.25.2 or later - Upgrade
org.geoserver:gs-wfsto 2.25.2 or later - Upgrade
org.geoserver:gs-wmsto 2.25.2 or later - Upgrade
org.geoserver.web:gs-web-appto 2.23.6 or later - Upgrade
org.geoserver:gs-wfsto 2.23.6 or later - Upgrade
org.geoserver:gs-wmsto 2.23.6 or later - Upgrade
org.geoserver.web:gs-web-appto 2.22.6 or later - Upgrade
org.geoserver:gs-wfsto 2.22.6 or later - Upgrade
org.geoserver:gs-wmsto 2.22.6 or later
- Upgrade