GHSA-x4r9-gmw3-hxww

Source

https://github.com/advisories/GHSA-x4r9-gmw3-hxww

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-x4r9-gmw3-hxww/GHSA-x4r9-gmw3-hxww.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x4r9-gmw3-hxww

Aliases

CVE-2025-58175

Published

2026-06-12T18:23:35Z

Modified

2026-06-12T18:30:08.484377668Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator

Summary

GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution

Details

Summary

A GeoServer that uses ENTITY_RESOLUTION_ALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).

Details

This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITY_RESOLUTION_ALLOWLIST (default since 2.25.0):

Impact

This vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.

Workaround

GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., https://somesite.org instead of https://somesite.org/ or https://somesite.org/geoserver). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.

Resources

https://osgeo-org.atlassian.net/browse/GEOS-11867 https://github.com/geoserver/geoserver/pull/8622

Credits:

Le Mau Anh Phong at Verichains Cyber Force

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-12T18:23:35Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-20",
        "CWE-611",
        "CWE-918"
    ]
}

References

Affected packages

Maven / org.geoserver.web:gs-web-app

Package

Name: org.geoserver.web:gs-web-app; View open source insights on deps.dev
Purl: pkg:maven/org.geoserver.web/gs-web-app

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.26.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-x4r9-gmw3-hxww/GHSA-x4r9-gmw3-hxww.json"

last_known_affected_version_range

"<= 2.26.3"

Maven / org.geoserver:gs-main

Package

Name: org.geoserver:gs-main; View open source insights on deps.dev
Purl: pkg:maven/org.geoserver/gs-main

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.26.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-x4r9-gmw3-hxww/GHSA-x4r9-gmw3-hxww.json"

last_known_affected_version_range

"<= 2.26.3"

Maven / org.geoserver:gs-main

Package

Name: org.geoserver:gs-main; View open source insights on deps.dev
Purl: pkg:maven/org.geoserver/gs-main

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.27.0

Fixed

2.27.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-x4r9-gmw3-hxww/GHSA-x4r9-gmw3-hxww.json"

last_known_affected_version_range

"<= 2.27.2"

Maven / org.geoserver.web:gs-web-app

Package

Name: org.geoserver.web:gs-web-app; View open source insights on deps.dev
Purl: pkg:maven/org.geoserver.web/gs-web-app

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.27.0

Fixed

2.27.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-x4r9-gmw3-hxww/GHSA-x4r9-gmw3-hxww.json"

last_known_affected_version_range

"<= 2.27.2"