GeoServer Open Source Server Vulnerability Exposing REST API Security Routes
CVE-2025-27505

5.3MEDIUM

Key Information:

Vendor: Geoserver
Status: Geoserver
Vendor: CVE Published:; 10 June 2025

What is CVE-2025-27505?

GeoServer, an open-source platform for sharing and editing geospatial data, contains a vulnerability that enables a bypass of its default REST API security. This issue arises when accessing the index page through specific paths, including those with extensions such as '.html', resulting in potential exposure of installed extensions. This security gap can be mitigated by updating to the latest versions, 2.26.3 or 2.25.6, or by applying configuration changes in the security settings. For proper remediation, adjust the REST and GWC filter paths as detailed and restart the server.

Affected Version(s)

geoserver >= 2.26.0, < 2.26.3 < 2.26.0, 2.26.3

geoserver < 2.25.6 < 2.25.6

References

https://github.com/geoserver/geoserver/security/advisorie...

x_refsource_CONFIRM

https://github.com/geoserver/geoserver/pull/8170

x_refsource_MISC

https://osgeo-org.atlassian.net/browse/GEOS-11664

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2025
Vulnerability Reserved
Feb 26, 2025

Geoserver

What is CVE-2025-27505?

Affected Version(s)

References

CVSS V3.1

Timeline