VDB
CISA-2024-29198
CISA-2024-29198
PUBLISHED
CVSS 7.5 HIGH
Reported by GitHub_M · Published June 10, 2025
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| geoserver | geoserver | >= 2.0.0, < 2.24.4, >= 2.25.0, < 2.25.2 |
| geoserver | geoserver | >= 2.0.0, < 2.24.4, >= 2.25.0, < 2.25.2, >= 2.0.0, < 2.24.4 |
Timeline
- Jun 10, 2025 CVE Published
- Jun 17, 2025 CVE Updated
References
- https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw x_refsource_CONFIRM
- https://osgeo-org.atlassian.net/browse/GEOS-11390 x_refsource_MISC
- https://osgeo-org.atlassian.net/browse/GEOS-11794 x_refsource_MISC