Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
Published: 2026-06-18
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GeoServer, an open‑source geospatial server, has a server‑side request forgery fault linked to XML entity resolution when the ENTITY_RESOLUTION_ALLOWLIST is used. The flaw requires that GeoServer is configured with a proxy base URL that contains no path component or does not end with a trailing slash. Acting on the description, it is inferred that an attacker can send a crafted XML document that causes GeoServer to resolve external entities, resulting in arbitrary outbound requests and potential internal data exposure.

Affected Systems

All GeoServer installations on the 2.26.x line before version 2.26.4, or on the 2.27.x line before version 2.27.3, that use the ENTITY_RESOLUTION_ALLOWLIST setting and a proxy base URL lacking a path or trailing slash are vulnerable; the setting that triggers the issue is the default since version 2.25.0.

Risk and Exploitability

The CVSS score of 6.5 signals moderate severity, while the EPSS score is unavailable, leaving the likelihood of exploitation unknown. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw from outside the network without authentication whenever the instance is reachable; the potential attack path is inferred from the behavior described in the advisory.

Generated by OpenCVE AI on June 18, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply GeoServer 2.26.4 or newer (or 2.27.3 or later) to install the official fix.
  • Change the proxy base URL so that it includes a path component or ends with a trailing slash; for example, replace "http://example.com" with "http://example.com/".
  • If the ENTITY_RESOLUTION_ALLOWLIST or proxy base URL is not required, disable them entirely to eliminate the SSRF vector.

Generated by OpenCVE AI on June 18, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x4r9-gmw3-hxww GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
Title GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
Weaknesses CWE-20
CWE-611
CWE-918
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T15:26:07.311Z

Reserved: 2025-08-27T13:34:56.189Z

Link: CVE-2025-58175

cve-icon Vulnrichment

Updated: 2026-06-18T15:26:03.717Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-611

    Improper Restriction of XML External Entity Reference

  • CWE-918

    Server-Side Request Forgery (SSRF)