Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-59431

MapServer is a system for developing web-based GIS applications. Prior to 8.4.1, the XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection. It seems like expression checking is bypassed by introducing double quote characters in the PropertyName. Allowing to manipulate backend database queries. This vulnerability is fixed in 8.4.1.

Published

2025-09-19T20:15:40.177

Last Modified

2025-10-08T18:26:15.403

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	osgeo	mapserver	8.4.0	Yes

References

https://github.com/MapServer/MapServer/security/advisories/GHSA-256m-rx4h-r55w Exploit, Vendor Advisory ([email protected])