SSRF Bypass Vulnerability in Esri Portal for ArcGIS by Esri
CVE-2025-4967

9.1CRITICAL

Key Information:

Vendor: Esri
Status: Portal For Arcgis
Vendor: CVE Published:; 29 May 2025

What is CVE-2025-4967?

A flaw exists in Esri Portal for ArcGIS versions 11.4 and earlier, allowing remote, unauthenticated attackers to bypass server-side request forgery (SSRF) protections. This vulnerability could enable unauthorized data access or further exploit the system, highlighting the need for immediate patching and mitigation strategies.

Affected Version(s)

Portal for ArcGIS Windows 0 <= 11.4

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2025
Vulnerability Reserved
May 19, 2025