What is CVE-2024-34711?

CVE-2024-34711 is a critical-severity vulnerability in Geoserver, classified under Information Disclosure. CVSS score: 9.3/10. Published 2025-06-10.

How severe is CVE-2024-34711?

Critical severity. CVSS v3 base score is 9.3 out of 10.

XXE in Geoserver

CVE-2024-34711

GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET requ…

Vulnerability class: Information Disclosure

EPSS: 0.004 (62.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.3 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N.

Affected products

Geoserver — versions < 2.25.0

Weakness classification (CWE)

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965 (x_refsource_CONFIRM)
https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-34711?: CVE-2024-34711 is a critical-severity vulnerability in Geoserver, classified under Information Disclosure. CVSS score: 9.3/10. Published 2025-06-10.
How severe is CVE-2024-34711?: Critical severity. CVSS v3 base score is 9.3 out of 10.