GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
Metrics
Affected Vendors & Products
References
History
Tue, 26 Aug 2025 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Osgeo
Osgeo geoserver |
|
CPEs | cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:* | |
Vendors & Products |
Osgeo
Osgeo geoserver |
Sat, 12 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|
Tue, 17 Jun 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 10 Jun 2025 14:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue. | |
Title | GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost | |
Weaknesses | CWE-918 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-06-17T19:12:00.664Z
Reserved: 2024-03-18T17:07:00.095Z
Link: CVE-2024-29198

Updated: 2025-06-10T14:34:59.250Z

Status : Analyzed
Published: 2025-06-10T15:15:22.140
Modified: 2025-08-26T16:25:00.947
Link: CVE-2024-29198

No data.

Updated: 2025-06-24T09:44:12Z