GSD-2024-29198 — Vulnetix

GSD-2024-29198 PUBLISHED CVSS 7.5 HIGH

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
geoserver	geoserver	>= 2.0.0, < 2.24.4, >= 2.25.0, < 2.25.2

Timeline

Jun 10, 2025 CVE Published
Jul 14, 2025 PoC Published
Jul 18, 2025 PoC Published
Aug 2, 2025 PoC Published

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw url
https://osgeo-org.atlassian.net/browse/GEOS-11390 url
https://osgeo-org.atlassian.net/browse/GEOS-11794 url

Open in Interactive Console →