EUVD-2024-26218
GHSA-5gw5-jccf-6hxw
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5Description
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
Analysis
GeoServer contains a Server-Side Request Forgery (SSRF) vulnerability in the Demo request endpoint (TestWfsPost servlet) that allows unauthenticated network attackers to make arbitrary HTTP requests from the server when Proxy Base URL is not configured. This high-severity vulnerability (CVSS 7.5) affects GeoServer versions prior to 2.24.4 and 2.25.2, enabling attackers to access internal resources, cloud metadata endpoints, and potentially interact with backend systems.
Technical Context
The vulnerability exists in GeoServer's TestWfsPost servlet, a demonstration endpoint used for testing Web Feature Service (WFS) POST requests. The root cause is CWE-918 (Server-Side Request Forgery), which occurs because user-supplied input to the Demo endpoint is not properly validated before being used to construct HTTP requests. When Proxy Base URL configuration is absent, the application fails to enforce proper URL validation and filtering, allowing attackers to specify arbitrary destination URLs. The servlet processes these requests server-side without adequate sanitization, enabling SSRF attacks. GeoServer is written in Java and runs on application servers like Tomcat, making it a network-accessible target when exposed to untrusted networks.
Affected Products
GeoServer versions prior to 2.24.4 and prior to 2.25.2 are affected. Specifically: GeoServer 2.24.x (all versions before 2.24.4), GeoServer 2.25.x (all versions before 2.25.2), and all earlier major versions (2.23.x and below). The vulnerability is specific to installations where 'Proxy Base URL' has not been configured in GeoServer settings. CPE identifier: cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* (versions <2.24.4 and <2.25.2). Affected installations typically include: public GeoServer instances, GeoServer in containerized deployments without proper network segmentation, cloud-hosted GeoServer instances, and geospatial data platforms using GeoServer as a backend.
Remediation
Immediate remediation: (1) Upgrade to GeoServer 2.24.4 or later, or upgrade to GeoServer 2.25.2 or later, which removes the vulnerable TestWfsPost servlet entirely. (2) If immediate patching is not feasible, apply network-level mitigations: restrict network access to GeoServer's demo endpoints using firewall rules, WAF rules, or reverse proxy configurations to block requests to /geoserver/web/wicket/resource/demo paths. (3) Implement strict URL validation: configure 'Proxy Base URL' in GeoServer settings (Settings > Global > Proxy Base URL) to enforce a whitelist of allowed proxy destinations. (4) Disable the demo request functionality if not required by setting appropriate security constraints in web.xml or disabling the TestWfsPost servlet registration. (5) Monitor access logs for suspicious requests to demo endpoints with unusual URL parameters. Vendor advisory and patches available at GeoServer GitHub security releases and official security bulletins.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today