AI-Powered Cyberattacks: How to Detect, Prevent & Defend Against Intelligent Threats

Read Now
We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.

CVE-2024-36401 in Open-Source GeoServer Exposes Systems to Remote Code Execution

by OPSWAT
Share this Post
Headshots of OPSWAT Fellowship Program participants
OPSWAT Fellowship Program Participants

In this blog, we explore CVE-2024-36401—a security vulnerability found in GeoServer, an open-source Java-based server widely used for geospatial data manipulation and sharing. This vulnerability, which could allow RCE (remote code execution) by unauthenticated users, underscores the critical importance of patching GeoServer deployments as soon as possible. 

In our latest security analysis, two OPSWAT Graduate Fellows investigate this threat by:

We’ll also share how OPSWAT SBOM technology can detect this vulnerability, plus provide actionable steps for teams to secure their geospatial infrastructure before attackers strike.

Illustration representing GeoServer vulnerability analysis

GeoServer Overview

GeoServer is a Java-based open-source server designed for viewing, editing, and sharing geospatial data. Initially launched in 2001 by TOPP (The Open Planning Project), GeoServer was developed to improve public engagement in government and urban planning through open spatial data exchange. Over two decades later, GeoServer has matured into a robust platform capable of handling various spatial data formats and integrating with different data sources.

GeoServer provides services based on the OGC (Open Geospatial Consortium) standards, including:

  • WFS (Web Feature Service) – Enables creating, modifying, and exchanging vector format geographic information using HTTP
  • WCS (Web Coverage Service) – Facilitates access to raster data (e.g., satellite imagery) for complex modeling and analysis.
  • WMS (Web Map Service) – Provides a simple HTTP interface for requesting map images.

Background on CVE-2024-36401

CVE-2024-36401 affects GeoServer versions prior to 2.25.2, 2.24.4, and 2.23.6. It arises from the unsafe evaluation of property names as XPath expressions across multiple OGC request parameters. Attackers can exploit this flaw to create RCE (remote code execution) by injecting crafted inputs in a default GeoServer installation.

 According to GitHub Security Advisories, this vulnerability carries a CVSS v3.1 score of 9.8 (Critical). 

Screenshot of CVSS Base Score Metrics used for assessing software vulnerabilities

GeoServer’s Simple vs. Complex Features

GeoServer supports both simple and complex feature types to accommodate different geospatial data structures, from flat to intricate, nested datasets. However, the flawed handling of XPath expressions across these data types is what makes CVE-2024-36401 exploitable.

Simple Features

Simple feature types represent straightforward geospatial data in a flat format, where each row in a database corresponds to a geospatial feature; and each attribute maps directly to an XML element. 

For example, a table representing companies with columns like id, name, and location can be easily converted into simple XML features.

idnamelocation
1OPSWATPOINT (10.769829, 106.685248)
GeoServer simple feature mapping from database rows to XML elements

Complex Features

In contrast, complex feature types handle more intricate data. This feature type supports nested properties and relationships between different datasets. These complex schemas are not generated automatically, but are defined using community standards, as outlined in the GeoServer's Application Schema extension.

Example: 

Under the previous companies table, we add a foreign key gu_id to describe the relationship between a company and its equivalent geologic unit:

idnamelocationgu_id
1OPSWATPOINT (10.769829, 106.685248)12

The geologic unit information is stored separately in the table geologicunit:

gu_idurndescription
12urn:x-demo:feature:GeologicUnit:12Metamorphic gneiss

By using these tables, we can map the company to a sa:SamplingCompany, which contains a nested gsml:GeologicUnit. This setup creates a complex feature, as it involves nested types and relationships defined by community specifications rather than automatically generated schemas.

Nested geologic unit relationships in GeoServer complex features

Such flexibility is essential for modeling complex real-world scenarios, but also introduces vulnerabilities due to its reliance on advanced processing techniques like JXPath evaluation to manage the nested structures effectively.

How the Vulnerability Arises

GeoServer is designed to use XPath evaluation to process complex feature types (such as those found in Application Schema data stores). But due to improper handling, it mistakenly applies XPath evaluation to simple feature types as well. This creates an attack vector because:

  1. GeoServer relies on the GeoTools library to evaluate property names during data retrieval.
  2. The commons-jxpath library, used for processing XPath expressions, lacks proper validation, which can execute arbitrary code when processing XPath expressions.
  3. This flaw exposes all GeoServer instances to potential RCE vulnerabilities, as an attacker can craft a malicious request that exploits this unsafe XPath execution to control the server.

Exploitation Workflow Overview

  • A POST request is sent to the GetPropertyValue operation. Then GeoServer attempts to retrieve the property (or valueReference) for a given feature.  
  • If the requested property exists in the Feature Type Details table, GeoServer processes it normally.
GeoServer fallback to commons-jxpath for XPath evaluation in a table
  • However, if the property is not listed, GeoServer falls back on the commons-jxpath library to interpret the request parameter as an XPath expression.
  • Since commons-jxpath permits executing Java code directly from XPath, this fallback mechanism potentially enables user-supplied request parameters to be exploited for remote code execution. Simply put, an attacker can inject malicious code to achieve RCE.
Workflow diagram illustrating GeoServer GetPropertyValue operation and attack flow

Vulnerability Exploitation and Analysis

JXPath and the Java Execution Bridge

Commons-jxpath processing of malicious XPath expressions in GeoServer

The commons-jxpath library, commonly referred to as JXPath, enables navigation through Java object graphs (JavaBeans, DOM objects, etc.) using XPath syntax. For example, if you have a simple Employee object with properties like name and address, JXPath allows you to query those properties as if they were nodes in an XML document.

JXPath navigation of Java object graphs using XPath syntax

Exploiting Extension Functions

Beyond standard functions, JXPath also supports extension functions which act as a bridge to Java. This “bridge to Java” is crucial because it allows Java functions to be invoked directly within XPath queries, for example:

JXPath querying properties of a Java Employee object

Because of the few limitations on which Java methods can be called through this bridge, an attacker can exploit the exec() function (or similar methods) to execute arbitrary commands on the server.

Extension function invocation bridging XPath to Java methods

WFS GetPropertyValue

GeoServer’s WFS enables users to query and manipulate geospatial features. Under normal conditions, the WFS GetPropertyValue operation would simply return the requested property in an XML structure.

WFS GetPropertyValue operation returning XML property
WFS GetPropertyValue XML response structure

Workflow Analysis

  1. An attacker sends a POST request to /geoserver/wfs.
  2. GeoServer examines the outermost XML tag—wfs:GetPropertyValue—to determine which operation to run.
  3. GeoServer then delegates the request parameters to the corresponding method in the WFS class. In this scenario, the Dispatcher directs the request to the GetPropertyValue method.
GeoServer Dispatcher directing request to GetPropertyValue method
  1. Within the DefaultWebFeatureService20 (WFS) class, this GetPropertyValue method forwards the user’s parameters to a handler of the same name.
  2. The handler’s run() method receives the request, including the critical valueReference parameter controlled by the user.
Handler run() method receiving user request with valueReference parameter
  1. During the run() method, GeoServer retrieves the referenceValue and invokes its evaluate() function.
GeoServer retrieving referenceValue and invoking evaluate() function
  1. If valueReference does not match GeoServer’s predefined properties, GeoServer defaults it to the FeaturePropertyAccessor, which interprets valueReference as an XPath expression.
FeaturePropertyAccessor interpreting valueReference as XPath expression
  1. The get() method in FeaturePropertyAccessor uses commons-jxpath to execute the XPath query. Here, the user’s valueReference is passed directly into the xpath parameter without validation. Through JXPathContext.newContext(), GeoServer initializes an environment for XPath queries, then runs them via iteratePointers().
Commons-jxpath executing XPath query with user-supplied valueReference

Since JXPath supports extension functions, attackers can inject malicious code into the XPath expression, triggering arbitrary code execution on the GeoServer instance.

Attacker injecting malicious code via XPath expression for RCE

This chain of events demonstrates how unsafe handling of the valueReference parameter can lead to RCE, representing a severe security threat to vulnerable GeoServer deployments.

Simulating the Attack

To simulate this exploitation in a real-world scenario, our OPSWAT Graduate Fellows deployed GeoServer on a local Windows machine. The following interface was displayed upon accessing GeoServer.

Screenshot of GeoServer interface on Windows machine for vulnerability simulation

Once the server is running, an attacker can exploit the vulnerability by sending a POST request with a malicious XPath expression via valueReference to the /geoserver/wfs endpoint.

XML code snippet demonstrating malicious POST request exploiting valueReference in GeoServer

Result: After the request is sent, the malicious XPath expression executes a system command and triggers the launch of the Calculator application.

Screenshot illustrating Calculator application launch after successful RCE exploit

Mitigation and Recommendations

A simple exploit can escalate into a software supply chain attack, particularly in projects that rely on open-source software such as GeoServer. OPSWAT SBOM (Software Bill of Materials) technology helps identify vulnerabilities such as CVE-2024-36401 in your codebase.

This example demonstrates how OPSWAT SBOM:

  1. Detects the software components impacted by vulnerabilities.
  2. Assesses and ranks the severity of the security flaw – here, the GeoServer CVEs are flagged as “Critical.”
  3. Identifies the affected version.
  4. Recommends the fixed version so that development teams can apply patches or take remediation measures promptly.
Dashboard screenshot of OPSWAT SBOM detecting GeoServer packages with critical vulnerabilities
OPSWAT SBOM (Software Bill of Materials) technology detects GeoServer packages with critical vulnerabilities.

Other Recommended Steps

  1. Update GeoServer: Upgrade to GeoServer versions 2.25.2, 2.24.4, or 2.23.6 (or later) where the vulnerability is patched.
  2. Audit Dependencies: Regularly use tools like OPSWAT SBOM to identify outdated libraries (e.g., commons-jxpath) in your environment.
  3. Restrict Access: Deploy GeoServer behind firewalls or authentication layers to minimize the attack surface.
  4. Monitor Security Advisories: Keep an eye on official GeoServer release notes and CVE databases to stay up to date on new patches.

About OPSWAT SBOM

OPSWAT SBOM supports the most popular programming languages, providing software development teams with visibility into third-party open-source libraries, their associated dependencies, and the latest available versions to upgrade. Developers can integrate OPSWAT SBOM into their source code and container services such as GitHub, BitBucket, GitLab, Amazon ECR, DockerHub, and more. Learn more about SBOM.

Talk to an expert today to learn how to integrate OPSWAT tools and solutions with your existing infrastructure and workflows:

Stay Up-to-Date With OPSWAT!

Sign up today to receive the latest company updates, stories, event info, and more.