What is the CVSS score of CVE-2024-29198?

CVE-2024-29198 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 6.4%.

Which versions of Java are affected by CVE-2024-29198?

GeoServer instances without a configured Proxy Base URL are vulnerable to Server-Side Request Forgery (SSRF) attacks, potentially allowing threat actors to access internal resources and sensitive…. A patch is available.

Is there a public PoC exploit available for CVE-2024-29198?

Yes, a public proof-of-concept exploit is available for CVE-2024-29198. Prioritise patching immediately. EPSS: 6.4%.

How to fix or mitigate CVE-2024-29198?

Within 24 hours: Inventory all GeoServer deployments and verify Proxy Base URL configuration status; disable the TestWfsPost servlet if possible. Within 7 days: Implement network segmentation and WAF rules to restrict Demo request endpoint access; apply monitoring for suspicious internal requests. Within 30 days: Plan and execute upgrade to GeoServer 2.24.4 or 2.25.2 when patches become available; document all instances and remediation completion.

Java CVE-2024-29198

EUVD-2024-26218 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2025-06-10 security-advisories@github.com

GHSA-5gw5-jccf-6hxw

Java SSRF Geoserver

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2024-26218

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

PoC Detected

Aug 26, 2025 - 16:25 vuln.today

Public exploit code

CVE Published

Jun 10, 2025 - 15:15 nvd

HIGH 7.5

DescriptionGitHub Advisory

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.

AnalysisAI

GeoServer contains a Server-Side Request Forgery (SSRF) vulnerability in the Demo request endpoint (TestWfsPost servlet) that allows unauthenticated network attackers to make arbitrary HTTP requests from the server when Proxy Base URL is not configured. This high-severity vulnerability (CVSS 7.5) affects GeoServer versions prior to 2.24.4 and 2.25.2, enabling attackers to access internal resources, cloud metadata endpoints, and potentially interact with backend systems.

Technical ContextAI

The vulnerability exists in GeoServer's TestWfsPost servlet, a demonstration endpoint used for testing Web Feature Service (WFS) POST requests. The root cause is CWE-918 (Server-Side Request Forgery), which occurs because user-supplied input to the Demo endpoint is not properly validated before being used to construct HTTP requests. When Proxy Base URL configuration is absent, the application fails to enforce proper URL validation and filtering, allowing attackers to specify arbitrary destination URLs. The servlet processes these requests server-side without adequate sanitization, enabling SSRF attacks. GeoServer is written in Java and runs on application servers like Tomcat, making it a network-accessible target when exposed to untrusted networks.

RemediationAI

Immediate remediation: (1) Upgrade to GeoServer 2.24.4 or later, or upgrade to GeoServer 2.25.2 or later, which removes the vulnerable TestWfsPost servlet entirely. (2) If immediate patching is not feasible, apply network-level mitigations: restrict network access to GeoServer's demo endpoints using firewall rules, WAF rules, or reverse proxy configurations to block requests to /geoserver/web/wicket/resource/demo paths. (3) Implement strict URL validation: configure 'Proxy Base URL' in GeoServer settings (Settings > Global > Proxy Base URL) to enforce a whitelist of allowed proxy destinations. (4) Disable the demo request functionality if not required by setting appropriate security constraints in web.xml or disabling the TestWfsPost servlet registration. (5) Monitor access logs for suspicious requests to demo endpoints with unusual URL parameters. Vendor advisory and patches available at GeoServer GitHub security releases and official security bulletins.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-41699 CRITICAL Act Now

9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH This Week

8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

CVE-2024-29198 vulnerability details – vuln.today

Back

Java CVE-2024-29198

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code