CVE-2025-52465 - Vulnerability Details

- GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist. Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.

Published: 2026-06-18

Score: 7.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

GeoServer allows an authenticated administrator with security system access to specify an absolute path to a non‑existing file on the Master Password Dump page, causing the server to write a file containing the master password in plaintext. This is a file‑write vulnerability (CWE‑73) that results in credential disclosure and potential compromise of the entire server.

Affected Systems

The flaw exists in GeoServer 2.26.x prior to 2.26.4 and in 2.27.x prior to 2.27.3, within the modules org.geoserver.web:gs-web-app and org.geoserver.web:gs-web-sec-core. Installations that have removed or disabled the Web interface are not affected.

Risk and Exploitability

The CVSS score is 7.2, indicating high severity. EPSS is unavailable and the vulnerability is not listed in KEV. Exploitation requires valid administrator credentials and access to the security system. The attack path involves providing an absolute file name for a new file; the target file cannot already exist and the parent directories must exist. No public exploit is known, but the high impact data exposure warrants immediate action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

geoserver

org.geoserver.web:gs-web-app

affected

Version	Status	Constraints
`< 2.26.4`	affected	—
`>= 2.27.0, < 2.27.3`	affected	—

geoserver

org.geoserver.web:gs-web-sec-core

affected

Version	Status	Constraints
`< 2.26.4`	affected	—
`>= 2.27.0, < 2.27.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade GeoServer to version 2.26.4 or later 2.27.3 or newer
Disable or remove the GeoServer web interface if it is not required
Ensure only trusted administrators have access to the security system and enforce least privilege

Generated by OpenCVE AI on June 18, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-7qmg-grcp-qf25	GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/geoserver/geoserver/pull/8584
https://github.com/geoserver/geoserver/security/advisories/GHSA-7qmg-grcp-qf25
https://osgeo-org.atlassian.net/browse/GEOS-11852
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild

History

Thu, 18 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist. Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.
Title		GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
Weaknesses		CWE-73
References		https://github.com/geoserver/geoserver/pull/8584 https://github.com/geoserver/geoserver/security/advisories/GHSA-7qmg-grcp-qf25 https://osgeo-org.atlassian.net/browse/GEOS-11852 https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-18T14:28:41.270Z

Updated: 2026-06-18T15:24:32.009Z

Reserved: 2025-06-17T02:28:39.716Z

Link: CVE-2025-52465

Vulnrichment

Updated: 2026-06-18T15:24:28.449Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T17:45:13Z

Weaknesses

CWE-73
External Control of File Name or Path

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object