Added a New Vulnerability Detection Module for CVE-2024-36401

[sankalp-b1401]

Proposed change

CVE-2024-36401 is a critical vulnerability in GeoServer, an opensource server that allows user to edit and share geospatial data. The Geoserver library API passes property names as common-jsxpath library which can execute arbitrary code when processing XPath expressions.

Testing:

• For vulnerable server, I used a vulnerable docker image of geoserver v. 2.23.5.
• For non-vulnerable serve, I used geoserver v.2.28.0.

Type of change

• New core framework functionality
• Bugfix (non-breaking change which fixes an issue)
• Code refactoring without any functionality changes
• New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I have digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test, I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• I've tested and verified that my code works as intended and resolves the issue as described
• I have attached screenshots demonstrating my code works as intended
• I've checked all other open PRs to avoid submitting duplicate work
• I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4a98daf and 76d9833.

📒 Files selected for processing (1)

• nettacker/modules/vuln/geoserver_cve_2024_36401.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• nettacker/modules/vuln/geoserver_cve_2024_36401.yaml

---

Summary by CodeRabbit

• New Features

  • Added detection support for GeoServer CVE-2024-36401 vulnerability.

• Deprecated

  • Removed detection capability for NextJS CVE-2025-55182.

• Documentation

  • Updated vulnerability modules documentation to reflect the latest detections.

Walkthrough

Adds a new GeoServer vulnerability detection module for CVE-2024-36401 (multi-step WFS probing over HTTP and HTTPS) and updates documentation to include the new module while removing a Next.js entry from the list.

Changes

Cohort / File(s)	Summary
Documentation Update docs/Modules.md	Added geoserver_cve_2024_36401_vuln to the Vuln Modules list and removed nextjs_cve_2025_55182_vuln.
New Vulnerability Module nettacker/modules/vuln/geoserver_cve_2024_36401.yaml	New YAML module for CVE-2024-36401: metadata, references, input schemas, and two payload groups (HTTP on port 80, HTTPS on port 443) implementing two-step DescribeFeatureType → GetPropertyValue sequences with saved temp events and dependent checks for Java runtime ClassCastException responses.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix error exclude all #1328: Overlapping changes to nettacker/modules/vuln/geoserver_cve_2024_36401.yaml (different payload variants).

Suggested labels

new module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a new vulnerability detection module for CVE-2024-36401, which is the primary purpose of this PR.
Description check	✅ Passed	The description is directly related to the changeset, explaining the CVE-2024-36401 vulnerability context, testing methodology, and including evidence of the implementation working correctly.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/Modules.md`:
- Line 149: Fix the minor docs spacing typo in the Modules.md entry for
'**next_cve_2025_55182_vuln**' by inserting a single space before the
parenthetical so the line reads with " (React2Shell)" instead of "(React2Shell)"
to improve readability; update the string describing
'**next_cve_2025_55182_vuln**' accordingly.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ceb05e4 and d2fcc0f.

📒 Files selected for processing (3)

• docs/Modules.md
• nettacker/modules/vuln/geoserver_cve_2024_36401.yaml
• nettacker/modules/vuln/next_cve_2025_55182.yaml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

docs/Modules.md (1)

147-147: @sankalp-b1401 Please confirm all commits are signed before merge.

Unsigned commits should be treated as failing pre-merge checks. If needed, you can sign and rewrite with:
git rebase --exec 'git commit --amend --no-edit -S' -i <base> and then force-push.

Based on learnings: When reviewing any pull request in the OWASP/Nettacker repository, always remind the PR author to use signed commits and explicitly state that the PR fails pre-merge checks if any commits are unsigned.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/Modules.md` at line 147, The review notes that commits must be
GPG-signed before merge and unsigned commits should fail pre-merge checks;
update project merge checklist and contributor guidance to enforce this by
adding a note next to the module entry '**geoserver_cve_2024_36401_vuln**' (and
any similar module entries) that all commits in the PR must be signed, and
include the suggested remediation command (git rebase --exec 'git commit --amend
--no-edit -S' -i <base>) as the recommended fix for unsigned commits so
reviewers treat unsigned commits as failing pre-merge checks.

nettacker/modules/vuln/geoserver_cve_2024_36401.yaml (2)

6-9: Tighten description wording for clarity.

Line 6-9 has minor wording/casing issues (“opensource”, “allows user”, “Geoserver”). Consider polishing this text for consistency.

✏️ Suggested text cleanup

-    CVE-2024-36401 is a critical vulnerability in GeoServer, an opensource
-    server that allows user to edit and share geospatial data. The Geoserver
-    library API passes property names as common-jsxpath library which can
+    CVE-2024-36401 is a critical vulnerability in GeoServer, an open-source
+    server that allows users to edit and share geospatial data. The GeoServer
+    library API passes property names to the common-jsxpath library, which can
     execute arbitrary code when processing XPath expressions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/geoserver_cve_2024_36401.yaml` around lines 6 - 9,
Update the description paragraph for CVE-2024-36401 in
geoserver_cve_2024_36401.yaml to fix casing and wording: change “opensource” to
“open-source”, “allows user” to “allows users”, “Geoserver” to “GeoServer”, and
clarify the API phrasing (e.g., “the GeoServer library API passes property names
to the common-jsxpath library, which can execute arbitrary code when processing
XPath expressions”); ensure the sentence is concise, grammatically correct, and
preserves the original vulnerability meaning.

---

27-27: Consider a slightly higher timeout for network resilience.

A 3-second timeout is prone to intermittent misses on loaded or high-latency targets. Using a modestly higher timeout can improve scan stability.

Also applies to: 54-54, 83-83, 110-110

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/geoserver_cve_2024_36401.yaml` at line 27, Replace the
low network timeout values by updating every occurrence of the YAML key
"timeout: 3" in geoserver_cve_2024_36401.yaml to a slightly higher value (e.g.,
8 or 10 seconds) to improve resilience against loaded/high-latency targets;
ensure you update all instances (the repeated "timeout: 3" entries) so scans use
the new timeout consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/vuln/geoserver_cve_2024_36401.yaml`:
- Line 50: The current regex for the YAML scanner's "regex" field that matches
typeName (the QName after "typeName=") omits dots and allows invalid starts;
update the pattern used in the regex entry for typeName to include the dot
character in both QName parts and enforce NCName-like starts (each part must
start with a letter or underscore, followed by letters, digits, dot, hyphen or
underscore) so the detector correctly matches GeoServer WFS typeName QNames and
reduces false negatives.

---

Nitpick comments:
In `@docs/Modules.md`:
- Line 147: The review notes that commits must be GPG-signed before merge and
unsigned commits should fail pre-merge checks; update project merge checklist
and contributor guidance to enforce this by adding a note next to the module
entry '**geoserver_cve_2024_36401_vuln**' (and any similar module entries) that
all commits in the PR must be signed, and include the suggested remediation
command (git rebase --exec 'git commit --amend --no-edit -S' -i <base>) as the
recommended fix for unsigned commits so reviewers treat unsigned commits as
failing pre-merge checks.

In `@nettacker/modules/vuln/geoserver_cve_2024_36401.yaml`:
- Around line 6-9: Update the description paragraph for CVE-2024-36401 in
geoserver_cve_2024_36401.yaml to fix casing and wording: change “opensource” to
“open-source”, “allows user” to “allows users”, “Geoserver” to “GeoServer”, and
clarify the API phrasing (e.g., “the GeoServer library API passes property names
to the common-jsxpath library, which can execute arbitrary code when processing
XPath expressions”); ensure the sentence is concise, grammatically correct, and
preserves the original vulnerability meaning.
- Line 27: Replace the low network timeout values by updating every occurrence
of the YAML key "timeout: 3" in geoserver_cve_2024_36401.yaml to a slightly
higher value (e.g., 8 or 10 seconds) to improve resilience against
loaded/high-latency targets; ensure you update all instances (the repeated
"timeout: 3" entries) so scans use the new timeout consistently.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2fcc0f and 4a98daf.

📒 Files selected for processing (2)

• docs/Modules.md
• nettacker/modules/vuln/geoserver_cve_2024_36401.yaml