Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2024-36401
PUBLISHEDRemote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver
- Vendor
- geoserver
- Product
- geoserver
- Published
- Jul 01, 2024
- EPSS
- —
Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC decision points
- Exploitation
- active
- Automatable
- Yes
- Technical impact
- total
References
- https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
- https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
- https://github.com/geotools/geotools/pull/4797
- https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
- https://osgeo-org.atlassian.net/browse/GEOT-7587
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Jul 15, 2024 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-36401.yaml | Apr 25, 2025 |
| Nessus | https://www.tenable.com/plugins/nessus/204972 | Aug 02, 2024 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
metasploit · Created Unknown
Metasploit module for CVE-2024-36401
github · Created 2025-04-11 04:36:34 UTC · 15 stars
CVE-2024-36401 图形化利用工具,支持各个JDK版本利用以及回显、内存马实现
github · Created 2024-11-27 19:13:49 UTC · 2 stars
CVE-2024-36401 (GeoServer Remote Code Execution)
github · Created 2024-11-22 03:57:12 UTC · 11 stars
CVE-2024-36401-GeoServer Property 表达式注入 Rce woodpecker-framework 插件
github · Created 2024-10-05 10:08:55 UTC · 42 stars
geoserver图形化漏洞利用工具
github · Created 2024-09-28 14:55:50 UTC · 2 stars
GeoServer CVE-2024-36401: Remote Code Execution (RCE) Vulnerability In Evaluating Property Name Expressions
github · Created 2024-09-13 10:28:48 UTC · 3 stars
Proof-of-Concept Exploit for CVE-2024-36401 GeoServer 2.25.1
github · Created 2024-07-30 18:43:40 UTC · 78 stars
GeoServer Remote Code Execution
github · Created 2024-07-06 01:10:28 UTC · 47 stars
Remote Code Execution (RCE) Vulnerability In Evaluating Property Name Expressions with multies ways to exploit
github · Created 2024-07-05 15:24:50 UTC · 2 stars
Exploiter a Vulnerability detection and Exploitation tool for GeoServer Unauthenticated Remote Code Execution CVE-2024-36401.
github · Created 2024-07-04 13:19:47 UTC · 33 stars
POC for CVE-2024-36401. This POC will attempt to establish a reverse shell from the vlun targets.
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nessus
-
Proof of Concept Exploit Available
-
Detected by Nuclei
-
Detected by Metasploit