What is the CVSS score of CVE-2025-27505?

CVE-2025-27505 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.4%.

Which versions of Geoserver are affected by CVE-2025-27505?

Organizations using GeoServer should be aware of moderate risk from CVE-2025-27505, a missing authorization vulnerability rated CVSS 5.3. Attackers could gain access beyond their authorized level.. A patch is available.

Is there a public PoC exploit available for CVE-2025-27505?

Yes, a public proof-of-concept exploit is available for CVE-2025-27505. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2025-27505?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Geoserver CVE-2025-27505

EUVD-2025-17687 MEDIUM

Missing Authorization (CWE-862)

2025-06-10 security-advisories@github.com

GHSA-h86g-x8mm-78m5

Authentication Bypass Geoserver

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17687

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

Patch released

Mar 14, 2026 - 19:49 nvd

Patch available

PoC Detected

Aug 26, 2025 - 16:11 vuln.today

Public exploit code

CVE Published

Jun 10, 2025 - 15:15 nvd

MEDIUM 5.3

DescriptionGitHub Advisory

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/ and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/ and restart GeoServer.

Analysis

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862).

RemediationAI

A vendor patch is available. Apply it as soon as possible and verify the fix.

CVE-2025-27505 vulnerability details – vuln.today

Back

Geoserver CVE-2025-27505

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code