Skip to main content

GeoServer CVE-2025-52465

HIGH
External Control of File Name or Path (CWE-73)
2026-06-12 https://github.com/geoserver/geoserver GHSA-7qmg-grcp-qf25
Microsoft Atlassian RCE Denial Of Service Tomcat Path Traversal
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable admin UI (AV:N), deterministic write primitive (AC:L), requires GeoServer security-admin role (PR:H), no user interaction, and JSP-drop yields full host CIA impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 12, 2026 - 18:50 vuln.today
Analysis Generated
Jun 12, 2026 - 18:50 vuln.today
CVE Published
Jun 12, 2026 - 18:23 github-advisory
HIGH 7.2

DescriptionGitHub Advisory

Summary

A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist.

Details

When dumping the master password, GeoServer will use the provided file name with minimal validation as long as it is a java.io.File path. The only limitation is that the fix for a previous, unrelated vulnerability prevents relative path traversal here but absolute paths can be used to access arbitrary files. GeoServer does not enforce a maximum password length by default which allows an administrator to place malicious code into their password which could then be dumped into a JSP file.

Impact

Remote Code Execution (High severity)

This vulnerability can lead to executing arbitrary code if GeoServer is deployed in an environment where an attacker can dynamically deploy and execute a JSP file. This is possible if the geoserver.war file is simply placed into the webapps directory of a default Tomcat installation.

NTLM Hash Disclosure (Moderate severity)

If GeoServer is deployed in a Windows operating system and the GeoServer administrator does not already have access to the Windows account running the GeoServer process, it may be possible for the administrator to make GeoServer trigger an outbound NTLM request to a remote, attacker-controlled server and gain access to the NTLM hash or user password for use in future attacks.

Denial of Service (Low severity)

This vulnerability allows writing a file to any location where the GeoServer process has write permissions which could still potentially cause some kind of denial of service.

Mitigation

GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.

Resources

https://osgeo-org.atlassian.net/browse/GEOS-11852 https://github.com/geoserver/geoserver/pull/8584

AnalysisAI

Arbitrary file write in GeoServer's Master Password Dump web page allows an authenticated administrator to write attacker-controlled content to any absolute filesystem path the GeoServer process can write to, including JSP files in a Tomcat webapps directory. Because GeoServer enforces no maximum master password length, an admin can embed malicious JSP code into the master password and dump it to an executable location, escalating to remote code execution on the host. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Technical ContextAI

GeoServer is an open-source Java/Servlet GIS server (Maven artifacts org.geoserver.web:gs-web-app and gs-web-sec-core) typically deployed as a WAR file inside Apache Tomcat. The Master Password Dump page in the security web UI accepts a user-supplied filename and writes the cleartext master password to it using java.io.File with only minimal validation; a prior path-traversal fix blocks relative traversal but not absolute paths, which is the root cause class captured by CWE-73 (External Control of File Name or Path). Because the master password field has no length cap, the 'password' value itself becomes attacker-controlled file content, turning a write-primitive into JSP code execution under standard Tomcat auto-deployment.

RemediationAI

Vendor-released patch: upgrade to GeoServer 2.27.3 or 2.26.4 (or later) per the GitHub Security Advisory at https://github.com/geoserver/geoserver/security/advisories/GHSA-7qmg-grcp-qf25 and PR https://github.com/geoserver/geoserver/pull/8584. Where immediate patching is not possible, mitigate by disabling or removing the GeoServer web administration interface entirely (the vulnerable code path is only reachable through the web UI), which eliminates the bug at the cost of losing browser-based administration and forcing all configuration through application properties or REST. As compensating controls, tightly restrict membership of the GeoServer ROLE_ADMINISTRATOR group, deploy GeoServer behind a hardened reverse proxy that ACL-restricts the /web/ and security endpoints to trusted admin networks, run the servlet container as an unprivileged user whose write access does not include any auto-deploy directory (move geoserver.war out of Tomcat's default webapps autodeploy path and disable autoDeploy/unpackWARs), and on Windows run the GeoServer service under a dedicated low-privilege local account and egress-block outbound SMB (TCP/445) to deny NTLM-relay coercion.

Share

CVE-2025-52465 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy