Headline
GHSA-68cf-j696-wvv9: GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx
Summary
Missing checks allow for SSRF to specific targets using the TestWfsPost enpoint.
Mitigation
To manage the proxy base value as a system administrator, use the parameter PROXY_BASE_URL to provide a non-empty value that cannot be overridden by the user interface or incoming request.thomsmith.
Resolution
The TestWfsPost has been replaced in GeoServer 2.25.2 and GeoServer 2.24.4 with a JavaScript Demo Requests page to test OGC Web Services.
References
- CVE-2024-29198 Unauthenticated SSRF via TestWfsPost
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-68cf-j696-wvv9
GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx
High severity GitHub Reviewed Published Jun 10, 2025 in geoserver/geoserver • Updated Jun 10, 2025
Package
maven org.geoserver:gs-wfs (Maven)
Affected versions
>= 1.0.0, < 2.24.4
>= 2.25.0, < 2.25.2
Patched versions
2.24.4
2.25.2
Summary
Missing checks allow for SSRF to specific targets using the TestWfsPost enpoint.
Mitigation
To manage the proxy base value as a system administrator, use the parameter PROXY_BASE_URL to provide a non-empty value that cannot be overridden by the user interface or incoming request.thomsmith.
Resolution
The TestWfsPost has been replaced in GeoServer 2.25.2 and GeoServer 2.24.4 with a JavaScript Demo Requests page to test OGC Web Services.
References
- CVE-2024-29198 Unauthenticated SSRF via TestWfsPost
References
- GHSA-5gw5-jccf-6hxw
- GHSA-68cf-j696-wvv9
Published to the GitHub Advisory Database
Jun 10, 2025
Last updated
Jun 10, 2025