What is the CVSS score of CVE-2024-40625?

CVE-2024-40625 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L. EPSS exploitation probability: 0.1%.

Which versions of Geoserver are affected by CVE-2024-40625?

Organizations using GeoServer should be aware of moderate risk from CVE-2024-40625, a server-side request forgery vulnerability rated CVSS 5.5.. A patch is available.

How to fix or mitigate CVE-2024-40625?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Geoserver CVE-2024-40625

EUVD-2025-17667 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2025-06-10 security-advisories@github.com

GHSA-r4hf-r8gj-jgw2

SSRF Geoserver

5.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.5 MEDIUM

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17667

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

Patch released

Mar 14, 2026 - 19:49 nvd

Patch available

CVE Published

Jun 10, 2025 - 15:15 nvd

MEDIUM 5.5

DescriptionGitHub Advisory

GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0.

Analysis

Technical ContextAI

Server-Side Request Forgery allows an attacker to induce the server to make HTTP requests to arbitrary destinations, including internal services. This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918).

RemediationAI

A vendor patch is available — apply it immediately. Validate and whitelist allowed URLs and IP ranges. Block requests to internal/private IP ranges. Use network segmentation to limit server-side request scope.

CVE-2024-40625 vulnerability details – vuln.today

Back