GeoNode versions 4.4.5 and 5.0.2, and earlier releases in the same series, contain a server‑side request forgery flaw in the service registration endpoint. Authenticated attackers can submit a crafted service URL that the server validates and subsequently fetches, causing outbound HTTP(S) requests to arbitrary destinations. This ability lets attackers probe internal network assets—including loopback interfaces, RFC1918 private ranges, link‑local addresses, and cloud metadata services—by exploiting insufficient URL validation in the WMS service handler lacking private‑IP filtering or allowlist enforcement. The vulnerability is classified as CWE‑918.

Affected versions are GeoNode 4.0 through 4.4.4 and GeoNode 5.0 through 5.0.1. The product is GeoNode, an open‑source platform for geospatial content management. Patches that address this issue are available in GeoNode 4.4.5 and 5.0.2, as referenced in the official release notes.

The CVSS v3.1 score is 5.3, indicating medium severity. EPSS score is <1%, suggesting a low but non‑zero probability of exploitation, and the flaw is not currently listed in the CISA KEV catalog. Because only authenticated users can trigger the SSRF, the attack requires valid credentials and presumably a web session. Nonetheless, an attacker could use the discovered bypass to discover internal host addresses or access privileged metadata endpoints, which could serve as a foothold for further exploitation. Organizations should promptly assess whether their installations run a vulnerable version and prioritize applying the available patch.