SecuriTricks - CVE-2025-27505

Description

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.

Product(s) Impacted

Vendor	Product	Versions
Geoserver	Geoserver	2.26.3, 2.25.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	geoserver	geoserver	2.26.3	/	/	/	/	/	/	/
a	geoserver	geoserver	2.25.6	/	/	/	/	/	/	/

References

https://github.com/geoserver/geoserver/pull/8170

https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5

https://osgeo-org.atlassian.net/browse/GEOS-11664

https://osgeo-org.atlassian.net/browse/GEOS-11776

CVSS Score

5.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

View Vector String

Timeline

Published: June 10, 2025, 3:15 p.m.
Last Modified: June 10, 2025, 3:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-27505