GeoServer Vulnerability Exposing Sensitive Information in GeoWebCache
CVE-2024-38524

5.3MEDIUM

Key Information:

Vendor: Geoserver
Status: Geoserver
Vendor: CVE Published:; 10 June 2025

What is CVE-2024-38524?

GeoServer, an open-source platform for sharing and editing geospatial data, contains a vulnerability within the GeoWebCache component. Specifically, the function org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) lacks proper measures to restrict the exposure of sensitive information. By default, it may reveal storage location paths, which can be exploited by unauthorized users unless a specific hidden system property is configured. This issue is addressed in versions 2.26.2 and 2.25.6, hence users are urged to update to these or later versions to mitigate potential risks.

Affected Version(s)

geoserver >= 2.26.0, < 2.26.2 < 2.26.0, 2.26.2

geoserver < 2.25.6 < 2.25.6

References

https://github.com/geoserver/geoserver/security/advisorie...

x_refsource_CONFIRM

https://github.com/GeoWebCache/geowebcache/issues/1344

x_refsource_MISC

https://github.com/GeoWebCache/geowebcache/pull/1345

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2025
Vulnerability Reserved
Jun 18, 2024

Geoserver

What is CVE-2024-38524?

Affected Version(s)

References

CVSS V3.1

Timeline