Service Side Request Forgery Vulnerability in GeoServer by OSGeo
CVE-2024-29198

7.5HIGH

Key Information:

Vendor: Geoserver
Status: Geoserver
Vendor: CVE Published:; 10 June 2025

What is CVE-2024-29198?

GeoServer, an open-source server designed for sharing and editing geospatial data, exposes a vulnerability through its Demo request endpoint. If the Proxy Base URL is not correctly configured, attackers may leverage this vulnerability to conduct Service Side Request Forgery (SSRF) attacks. This issue has been addressed in GeoServer versions 2.24.4 and 2.25.2, which eliminate the problematic TestWfsPost servlet, thereby mitigating the risk associated with this vulnerability.

Affected Version(s)

geoserver >= 2.0.0, < 2.24.4 < 2.0.0, 2.24.4

geoserver >= 2.25.0, < 2.25.2 < 2.25.0, 2.25.2

References

https://github.com/geoserver/geoserver/security/advisorie...

x_refsource_CONFIRM

https://osgeo-org.atlassian.net/browse/GEOS-11390

x_refsource_MISC

https://osgeo-org.atlassian.net/browse/GEOS-11794

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2025
Vulnerability Reserved
Mar 18, 2024

Geoserver

What is CVE-2024-29198?

Affected Version(s)

References

CVSS V3.1

Timeline