Server-Side Request Forgery Vulnerability in GeoServer by OSGeo
CVE-2025-58175

6.5MEDIUM

Key Information:

Vendor

Geoserver

Status
Org.geoserver.web:gs-web-app
Org.geoserver:gs-main
Vendor
CVE Published:
18 June 2026

What is CVE-2025-58175?

GeoServer, an open source platform for sharing and editing geospatial data, has a vulnerability that allows attackers to conduct unauthenticated Server-Side Request Forgery (SSRF) when configured with the ENTITY_RESOLUTION_ALLOWLIST and a proxy base URL lacking a path or ending with a slash. This flaw can expose sensitive information and system vulnerabilities unless appropriate configurations are implemented. Users are advised to upgrade to versions 2.26.4 or 2.27.3 or ensure that their proxy base URL includes a path to mitigate this risk effectively.

Affected Version(s)

org.geoserver:gs-main < 2.26.4 < 2.26.4

org.geoserver:gs-main >= 2.27.0, < 2.27.3 < 2.27.0, 2.27.3

org.geoserver.web:gs-web-app < 2.26.4 < 2.26.4

References

https://github.com/geoserver/geoserver/security/advisorie...
x_refsource_CONFIRM
https://github.com/geoserver/geoserver/pull/8622
x_refsource_MISC
https://osgeo-org.atlassian.net/browse/GEOS-11867
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.