GHSA-x4r9-gmw3-hxwwMediumCVSS 6.5

GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution

Published
June 12, 2026
Last Modified
June 12, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

A GeoServer that uses ENTITY_RESOLUTION_ALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).

Details

This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITY_RESOLUTION_ALLOWLIST (default since 2.25.0):

Impact

This vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.

Workaround

GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., https://somesite.org instead of https://somesite.org/ or https://somesite.org/geoserver). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.

Resources

https://osgeo-org.atlassian.net/browse/GEOS-11867 https://github.com/geoserver/geoserver/pull/8622

Credits:

  • Le Mau Anh Phong at Verichains Cyber Force

🎯 Affected products4

  • maven/org.geoserver.web:gs-web-app:<= 2.26.3
  • maven/org.geoserver:gs-main:<= 2.26.3
  • maven/org.geoserver:gs-main:>= 2.27.0, <= 2.27.2
  • maven/org.geoserver.web:gs-web-app:>= 2.27.0, <= 2.27.2

🔗 References (3)