Skip to main content
CVE 2024

GeoServer < 2.25.2/2.24.4/2.23.6 Remote Code Execution (CVE-2024-36401)

VIP10 PointsCVE-2024-36401
Start this lab on Hackviser

Overview

GeoServer < 2.25.2/2.24.4/2.23.6 Remote Code Execution, tracked as CVE-2024-36401, affects GeoServer deployments through unsafe evaluation behavior in the GeoTools library. GeoServer is widely used to publish and manage geospatial data through web mapping standards.

Vulnerability Overview

CVE-2024-36401 is an eval injection vulnerability caused by unsafe evaluation of property names as XPath expressions. GeoServer calls GeoTools APIs that can pass feature property names into expression handling that was intended for complex feature types, but the vulnerable behavior can also affect simple feature types.

Because multiple OGC request paths can reach the vulnerable evaluation behavior, a default GeoServer installation can be exposed when it is reachable by unauthenticated users.

Impact

The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can allow unauthenticated remote code execution, giving an attacker high impact over confidentiality, integrity, and availability of the affected GeoServer host.

CVE-2024-36401 is listed in CISA KEV and has been reported as actively exploited. Publicly reachable GeoServer instances should be patched or otherwise mitigated immediately.

Vulnerability Scope

Affected GeoServer versions include releases before 2.22.6, 2.23.6, 2.24.4, and 2.25.2. Related GeoTools versions are also affected because the root issue is in GeoTools expression handling used by GeoServer.

The strongest remediation is upgrading to a fixed GeoServer release. Temporary mitigation guidance exists for removing the vulnerable GeoTools complex module, but that can break functionality and should be evaluated carefully.

Lab Focus

This Hackviser lab focuses on understanding how unsafe expression evaluation in geospatial services can become unauthenticated remote code execution. You will practice identifying affected GeoServer versions, reasoning about exposed OGC request surfaces, and prioritizing remediation for internet-facing mapping services.

Resources