CVE-2025-58175

June 18, 2026, 6:04 p.m.

6.5
Medium

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.

Product(s) Impacted

Vendor Product Versions
Geoserver
  • Geoserver
  • <2.26.4, <2.27.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a geoserver geoserver <2.26.4 / / / / / / /
a geoserver geoserver <2.27.3 / / / / / / /

References

https://github.com/geoserver/geoserver/pull/8622
https://github.com/geoserver/geoserver/security/advisories/GHSA-x4r9-gmw3-hxww
https://osgeo-org.atlassian.net/browse/GEOS-11867

Tags

CWE-20
[email protected]
2026-06-18
CVE-2025-58175

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

    View Vector String

Timeline

Published: June 18, 2026, 4:16 p.m.
Last Modified: June 18, 2026, 6:04 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.