CVE-2024-36401

CVE-2024-36401 is a critical-severity code injection vulnerability in org.geoserver.web:gs-web-app (maven), affecting versions >= 2.24.0, < 2.24.4. It is fixed in 2.24.4, 2.25.2, 2.23.6, 2.22.6.

Summary

Remote Code Execution (RCE) vulnerability in geoserver

Full technical description

Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

Details

The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to ALL GeoServer instances.

PoC

No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.

Workaround

A workaround exists by removing the gt-complex-x.y.jar file from the GeoServer where x.y is the GeoTools version (e.g., gt-complex-31.1.jar if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed by an extension you are using:

Mitigation for geoserver.war deploy:

  1. Stop the application server
  2. Unzip geoserver.war into a directory
  3. Locate the file WEB-INF/lib/gt-complex-x.y.jar and remove
  4. Zip the directory into a new geoserver.war
  5. Restart the application server

Mitigation for GeoServer binary:

  1. Stop Jetty
  2. Locate the file webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jar and remove
  3. Restart Jetty

The following extensions and community modules are known to have a direct dependency on gt-complex jar and are not expected function properly without it. This is not comprehensive list and additional GeoServer functionality may be dependent on the availability of gt-complex jar:

  • Extensions: Application Schema, Catalog Services for the Web, MongoDB Data Store
  • Community Modules: Features-Templating, OGC API Modules, Smart Data Loader, SOLR Data Store

Mitigation available for prior releases patching three jars in your existing install:

  1. Patched gt-app-schema, gt-complex and gt-xsd-core jars may be downloaded for GeoServer: 2.25.1, 2.24.3, 2.24.2, 2.23.2, 2.22.2, 2.21.5, 2.21.4,2.20.7, 2.20.4, 2.19.2, 2.18.0.

    As example the 2.25.1 page links to geoserver-2.25.1-patches.zip download on source forge.

  2. Unzip the geoserver-x.y.z-patches.zip which contains three jars that have been patched to configure commons-jxpath with an empty function list prior to use. These files are drop-in replacements with identical file names to those they are replacing.

  3. Follow the instructions above to locate WEB-INF/lib folder and replace the existing gt-app-schema, gt-complex and gt-xsd-core jars with those supplied by the patch.

References

https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
https://osgeo-org.atlassian.net/browse/GEOT-7587
https://github.com/geotools/geotools/pull/4797
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852

Impact

This vulnerability can lead to executing arbitrary code.

Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.

CVE-2024-36401 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.24.4, 2.25.2, 2.23.6, 2.22.6); upgrading removes the vulnerable code path.

Affected versions

org.geoserver.web:gs-web-app (>= 2.24.0, < 2.24.4) org.geoserver:gs-wfs (>= 2.24.0, < 2.24.4) org.geoserver:gs-wms (>= 2.24.0, < 2.24.4) org.geoserver.web:gs-web-app (>= 2.25.0, < 2.25.2) org.geoserver:gs-wfs (>= 2.25.0, < 2.25.2) org.geoserver:gs-wms (>= 2.25.0, < 2.25.2) org.geoserver.web:gs-web-app (>= 2.23.0, < 2.23.6) org.geoserver:gs-wfs (>= 2.23.0, < 2.23.6) org.geoserver:gs-wms (>= 2.23.0, < 2.23.6) org.geoserver.web:gs-web-app (< 2.22.6) org.geoserver:gs-wfs (< 2.22.6) org.geoserver:gs-wms (< 2.22.6)

Security releases

org.geoserver.web:gs-web-app → 2.24.4 (maven) org.geoserver:gs-wfs → 2.24.4 (maven) org.geoserver:gs-wms → 2.24.4 (maven) org.geoserver.web:gs-web-app → 2.25.2 (maven) org.geoserver:gs-wfs → 2.25.2 (maven) org.geoserver:gs-wms → 2.25.2 (maven) org.geoserver.web:gs-web-app → 2.23.6 (maven) org.geoserver:gs-wfs → 2.23.6 (maven) org.geoserver:gs-wms → 2.23.6 (maven) org.geoserver.web:gs-web-app → 2.22.6 (maven) org.geoserver:gs-wfs → 2.22.6 (maven) org.geoserver:gs-wms → 2.22.6 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

org.geoserver.web:gs-web-app to 2.24.4 or later; org.geoserver:gs-wfs to 2.24.4 or later; org.geoserver:gs-wms to 2.24.4 or later; org.geoserver.web:gs-web-app to 2.25.2 or later; org.geoserver:gs-wfs to 2.25.2 or later; org.geoserver:gs-wms to 2.25.2 or later; org.geoserver.web:gs-web-app to 2.23.6 or later; org.geoserver:gs-wfs to 2.23.6 or later; org.geoserver:gs-wms to 2.23.6 or later; org.geoserver.web:gs-web-app to 2.22.6 or later; org.geoserver:gs-wfs to 2.22.6 or later; org.geoserver:gs-wms to 2.22.6 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2024-36401? CVE-2024-36401 is a critical-severity code injection vulnerability in org.geoserver.web:gs-web-app (maven), affecting versions >= 2.24.0, < 2.24.4. It is fixed in 2.24.4, 2.25.2, 2.23.6, 2.22.6. Untrusted input is evaluated as executable code within the application's runtime environment.
  2. How severe is CVE-2024-36401? CVE-2024-36401 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2024-36401?
    • org.geoserver.web:gs-web-app (maven) (versions >= 2.24.0, < 2.24.4)
    • org.geoserver:gs-wfs (maven) (versions >= 2.24.0, < 2.24.4)
    • org.geoserver:gs-wms (maven) (versions >= 2.24.0, < 2.24.4)
  4. Is there a fix for CVE-2024-36401? Yes. CVE-2024-36401 is fixed in 2.24.4, 2.25.2, 2.23.6, 2.22.6. Upgrade to this version or later.
  5. Is CVE-2024-36401 exploitable, and should I be worried? Whether CVE-2024-36401 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-36401 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-36401?
    • Upgrade org.geoserver.web:gs-web-app to 2.24.4 or later
    • Upgrade org.geoserver:gs-wfs to 2.24.4 or later
    • Upgrade org.geoserver:gs-wms to 2.24.4 or later
    • Upgrade org.geoserver.web:gs-web-app to 2.25.2 or later
    • Upgrade org.geoserver:gs-wfs to 2.25.2 or later
    • Upgrade org.geoserver:gs-wms to 2.25.2 or later
    • Upgrade org.geoserver.web:gs-web-app to 2.23.6 or later
    • Upgrade org.geoserver:gs-wfs to 2.23.6 or later
    • Upgrade org.geoserver:gs-wms to 2.23.6 or later
    • Upgrade org.geoserver.web:gs-web-app to 2.22.6 or later
    • Upgrade org.geoserver:gs-wfs to 2.22.6 or later
    • Upgrade org.geoserver:gs-wms to 2.22.6 or later

Other vulnerabilities in org.geoserver.web:gs-web-app

Stop the waste.
Protect your environment with Kodem.