Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-36401

CRITICAL
Published 2024-07-01T15:25:41.873Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-36401. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
9.8
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.944
probability
of exploitation in the wild

There is a 94.4% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 1.000
Higher than 100.0% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.

Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

Available Exploits

GeoServer RCE in Evaluating Property Name Expressions

In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

ID: CVE-2024-36401
Author: DhiyaneshDkryanborum Critical

References:

Related News

No news articles found for this CVE.

Affected Products

geoserver

geoserver

Affected Versions:

>= 2.23.0, < 2.23.6 >= 2.24.0, < 2.24.4 >= 2.25.0, < 2.25.2 < 2.22.6
geoserver

geoserver

Affected Versions:

0
geoserver

geoserver

Affected Versions:

2.24.0
geoserver

geoserver

Affected Versions:

2.25.0

Known Exploited Vulnerability

This vulnerability is actively being exploited in the wild

View KEV Details

Remediation Status

Overdue

Due Date

August 5, 2024

Added to KEV

July 15, 2024

Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Product

Vendor/Project: OSGeo
Product: GeoServer

Ransomware Risk

Known Ransomware Use
KEV Catalog Version: 2025.01.24 Released: January 24, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

Remote Code Execution (RCE) vulnerability in geoserver

GHSA-6jj6-gm7p-fcvv

Advisory Details

### Summary Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. ### Details The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. ### PoC No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. ### Impact This vulnerability can lead to executing arbitrary code. ### Workaround A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed by an extension you are using: Mitigation for `geoserver.war` deploy: 1. Stop the application server 2. Unzip `geoserver.war` into a directory 3. Locate the file `WEB-INF/lib/gt-complex-x.y.jar` and remove 4. Zip the directory into a new `geoserver.war` 5. Restart the application server Mitigation for GeoServer binary: 1. Stop Jetty 2. Locate the file `webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jar` and remove 3. Restart Jetty The following extensions and community modules are known to have a direct dependency on `gt-complex` jar and are not expected function properly without it. This is not comprehensive list and additional GeoServer functionality may be dependent on the availability of `gt-complex` jar: * Extensions: Application Schema, Catalog Services for the Web, MongoDB Data Store * Community Modules: Features-Templating, OGC API Modules, Smart Data Loader, SOLR Data Store Mitigation available for prior releases patching three jars in your existing install: 1. Patched `gt-app-schema`, `gt-complex` and `gt-xsd-core` jars may be downloaded for GeoServer: [2.25.1](https://sourceforge.net/projects/geoserver/files/GeoServer/2.25.1/geoserver-2.25.1-patches.zip/download), [2.24.3](https://sourceforge.net/projects/geoserver/files/GeoServer/2.24.3/geoserver-2.24.3-patches.zip/download), [2.24.2](https://sourceforge.net/projects/geoserver/files/GeoServer/2.24.2/geoserver-2.24.2-patches.zip/download), [2.23.2](https://sourceforge.net/projects/geoserver/files/GeoServer/2.23.2/geoserver-2.23.2-patches.zip/download), [2.22.2](https://sourceforge.net/projects/geoserver/files/GeoServer/2.22.2/geoserver-2.22.2-patches.zip/download), [2.21.5](https://sourceforge.net/projects/geoserver/files/GeoServer/2.21.5/geoserver-2.21.5-patches.zip/download), [2.21.4](https://sourceforge.net/projects/geoserver/files/GeoServer/2.21.4/geoserver-2.21.4-patches.zip/download),[2.20.7](https://sourceforge.net/projects/geoserver/files/GeoServer/2.20.7/geoserver-2.20.7-patches.zip/download), [2.20.4](https://sourceforge.net/projects/geoserver/files/GeoServer/2.20.4/geoserver-2.20.4-patches.zip/download), [2.19.2](https://sourceforge.net/projects/geoserver/files/GeoServer/2.19.2/geoserver-2.19.2-patches.zip/download), [2.18.0](https://sourceforge.net/projects/geoserver/files/GeoServer/2.18.0/geoserver-2.18.0-patches.zip/download). As example the 2.25.1 page links to [geoserver-2.25.1-patches.zip](https://sourceforge.net/projects/geoserver/files/GeoServer/2.25.1/geoserver-2.25.1-patches.zip/download) download on source forge. 2. Unzip the `geoserver-x.y.z-patches.zip` which contains three jars that have been patched to configure `commons-jxpath` with an empty function list prior to use. These files are drop-in replacements with identical file names to those they are replacing. 3. Follow the instructions above to locate `WEB-INF/lib` folder and replace the existing `gt-app-schema`, `gt-complex` and `gt-xsd-core` jars with those supplied by the patch. ### References https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w https://osgeo-org.atlassian.net/browse/GEOT-7587 https://github.com/geotools/geotools/pull/4797 https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852

Affected Packages

Maven org.geoserver.web:gs-web-app
ECOSYSTEM: ≥2.24.0 <2.24.4
Maven org.geoserver:gs-wfs
ECOSYSTEM: ≥2.24.0 <2.24.4
Maven org.geoserver:gs-wms
ECOSYSTEM: ≥2.24.0 <2.24.4
Maven org.geoserver.web:gs-web-app
ECOSYSTEM: ≥2.25.0 <2.25.2
Maven org.geoserver:gs-wfs
ECOSYSTEM: ≥2.25.0 <2.25.2
Maven org.geoserver:gs-wms
ECOSYSTEM: ≥2.25.0 <2.25.2
Maven org.geoserver.web:gs-web-app
ECOSYSTEM: ≥2.23.0 <2.23.6
Maven org.geoserver:gs-wfs
ECOSYSTEM: ≥2.23.0 <2.23.6
Maven org.geoserver:gs-wms
ECOSYSTEM: ≥2.23.0 <2.23.6
Maven org.geoserver.web:gs-web-app
ECOSYSTEM: ≥0 <2.22.6
Maven org.geoserver:gs-wfs
ECOSYSTEM: ≥0 <2.22.6
Maven org.geoserver:gs-wms
ECOSYSTEM: ≥0 <2.22.6

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

WEB https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
WEB https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-36401
WEB https://github.com/geotools/geotools/pull/4797
WEB https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
PACKAGE https://github.com/geoserver/geoserver
WEB https://osgeo-org.atlassian.net/browse/GEOT-7587
WEB https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401

Advisory provided by GitHub Security Advisory Database. Published: July 1, 2024, Modified: March 19, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

8 posts
Reddit 2 weeks, 1 day ago
crstux
Exploit PoC

🔥 Top 10 Trending CVEs (25/08/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-54253](https://nvd.nist.gov/vuln/detail/CVE-2025-54253)** - 📝 Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass …

Also mentions: CVE-2025-43300 CVE-2025-9074 CVE-2025-52970 CVE-2025-54253 CVE-2025-49533 CVE-2025-38236 CVE-2025-21479 CVE-2025-32433
1
1.0
View Original High Risk
Reddit 2 weeks, 2 days ago
crstux
Exploit PoC

🔥 Top 10 Trending CVEs (24/08/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-50864](https://nvd.nist.gov/vuln/detail/CVE-2025-50864)** - 📝 An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking …

Also mentions: CVE-2025-43300 CVE-2025-9074 CVE-2025-38236 CVE-2025-21479 CVE-2025-37899 CVE-2025-32433 CVE-2025-1316
1
1.0
View Original High Risk
Reddit 2 weeks, 2 days ago
Suspicious_Bug4112
Exploit

Cybercriminals Exploit GeoServer Flaw for Cryptomining Attacks **Date:** 23-Aug-25 Recent reports highlight a critical vulnerability in GeoServer software, tracked as CVE-2024-36401, which cybercriminals are actively exploiting to deploy cryptomining malware and create IoT botnets. This vulnerability enables remote code execution, allowing attackers to install miners like XMRig on both cloud …

1
1.0
View Original High Risk
Reddit 2 weeks, 3 days ago
crstux
Exploit PoC

🔥 Top 10 Trending CVEs (23/08/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-9074](https://nvd.nist.gov/vuln/detail/CVE-2025-9074)** - 📝 A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. …

Also mentions: CVE-2025-43300 CVE-2025-9074 CVE-2025-54336 CVE-2025-21479 CVE-2025-29927 CVE-2025-37778 CVE-2025-1316 CVE-2024-55415
1
1.0
View Original High Risk
Reddit 2 weeks, 3 days ago
_cybersecurity_
Exploit Payload

Emerging Threats: GeoServer Exploits and New Botnets Challenge Cybersecurity **Recent campaigns leverage known vulnerabilities in GeoServer and IoT devices, exposing systems to exploitation and generating passive income for attackers.** **Key Points:** - CVE-2024-36401 exploits allow attackers to monetize victims' bandwidth stealthily. - The PolarEdge botnet, accumulating 40,000 devices, reflects a …

1
1
3.0
View Original High Risk
Reddit 2 weeks, 3 days ago
falconupkid

GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets,... **CVEs:** CVE-2024-36401 **Source:** https://thehackernews.com/2025/08/geoserver-exploits-polaredge-and.html

1
1.0
View Original
Reddit 2 weeks, 4 days ago
Immediate_Gold9789
Exploit Payload

CVE-2024-36401 Exploited in Stealthy Bandwidth-Monetization Campaign By CyberDudeBivash — Global Cybersecurity & AI Threat Intelligence Network CyberDudeBivash — Your Global Cybersecurity Shield # Executive Summary A newly discovered exploitation campaign has weaponized **CVE-2024-36401**, a critical vulnerability now being actively used by cybercriminal groups. Unlike traditional ransomware or crypto-mining attacks, this …

1
1.0
View Original High Risk
Reddit 2 weeks, 5 days ago
falconupkid

Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth A campaign leverages CVE-2024-36401 to stealthily monetize victims' bandwidth where legitimate software development kits (SDKs) are deployed for passive income. The post Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your... **CVEs:** CVE-2024-36401 **Source:** https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdks/

1
1.0
View Original

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
https://github.com/geotools/geotools/pull/4797
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
https://osgeo-org.atlassian.net/browse/GEOT-7587
Published: 2024-07-01T15:25:41.873Z
Last Modified: 2025-07-28T19:43:11.377Z
Copied to clipboard!