Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-27505

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.

Published

2025-06-10T15:15:23.903

Last Modified

2025-08-26T16:11:55.620

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	osgeo	geoserver	< 2.25.6	Yes
Application	osgeo	geoserver	< 2.26.3	Yes

References

https://github.com/geoserver/geoserver/pull/8170 Patch ([email protected])
https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5 Third Party Advisory ([email protected])
https://osgeo-org.atlassian.net/browse/GEOS-11664 Issue Tracking, Patch ([email protected])
https://osgeo-org.atlassian.net/browse/GEOS-11776 Permissions Required ([email protected])