CVE-2025-59431

MapServer is a system for developing web-based GIS applications. Prior to 8.4.1, the XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection. It seems like expression checking is bypassed by introducing double quote characters in the PropertyName. Allowing to manipulate backend database queries. This vulnerability is fixed in 8.4.1.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
osgeomapserver
8.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mapserver
bullseye
postponed
trixie
no-dsa
bookworm
no-dsa
forky
8.4.1-1
fixed
sid
8.4.1-2
fixed
Common Weakness Enumeration
References
https://github.com/MapServer/MapServer/security/advisories/GHSA-256m-rx4h-r55w